Merge "Remove additional references to ldap role attribs"
This commit is contained in:
commit
6324ce1eba
@ -1671,9 +1671,6 @@ The corresponding entries in the Keystone configuration file are:
|
|||||||
user_tree_dn = ou=Users,dc=openstack,dc=org
|
user_tree_dn = ou=Users,dc=openstack,dc=org
|
||||||
user_objectclass = inetOrgPerson
|
user_objectclass = inetOrgPerson
|
||||||
|
|
||||||
role_tree_dn = ou=Roles,dc=openstack,dc=org
|
|
||||||
role_objectclass = organizationalRole
|
|
||||||
|
|
||||||
The default object classes and attributes are intentionally simplistic. They
|
The default object classes and attributes are intentionally simplistic. They
|
||||||
reflect the common standard objects according to the LDAP RFCs. However, in a
|
reflect the common standard objects according to the LDAP RFCs. However, in a
|
||||||
live deployment, the correct attributes can be overridden to support a
|
live deployment, the correct attributes can be overridden to support a
|
||||||
@ -1701,10 +1698,6 @@ and you have only read access, in such case the configuration is:
|
|||||||
user_allow_update = False
|
user_allow_update = False
|
||||||
user_allow_delete = False
|
user_allow_delete = False
|
||||||
|
|
||||||
role_allow_create = True
|
|
||||||
role_allow_update = True
|
|
||||||
role_allow_delete = True
|
|
||||||
|
|
||||||
There are some configuration options for filtering users, tenants and roles, if
|
There are some configuration options for filtering users, tenants and roles, if
|
||||||
the backend is providing too much output, in such case the configuration will
|
the backend is providing too much output, in such case the configuration will
|
||||||
look like:
|
look like:
|
||||||
@ -1713,7 +1706,6 @@ look like:
|
|||||||
|
|
||||||
[ldap]
|
[ldap]
|
||||||
user_filter = (memberof=CN=openstack-users,OU=workgroups,DC=openstack,DC=org)
|
user_filter = (memberof=CN=openstack-users,OU=workgroups,DC=openstack,DC=org)
|
||||||
role_filter =
|
|
||||||
|
|
||||||
In case that the directory server does not have an attribute enabled of type
|
In case that the directory server does not have an attribute enabled of type
|
||||||
boolean for the user, there is several configuration parameters that can be
|
boolean for the user, there is several configuration parameters that can be
|
||||||
@ -1753,11 +1745,6 @@ specified classes in the LDAP module so you can configure them like:
|
|||||||
user_enabled_mask = 2
|
user_enabled_mask = 2
|
||||||
user_enabled_default = 512
|
user_enabled_default = 512
|
||||||
user_attribute_ignore = tenant_id,tenants
|
user_attribute_ignore = tenant_id,tenants
|
||||||
role_objectclass = organizationalRole
|
|
||||||
role_id_attribute = cn
|
|
||||||
role_name_attribute = ou
|
|
||||||
role_member_attribute = roleOccupant
|
|
||||||
role_attribute_ignore =
|
|
||||||
|
|
||||||
Debugging LDAP
|
Debugging LDAP
|
||||||
--------------
|
--------------
|
||||||
|
@ -438,7 +438,7 @@ class DomainConfigTests(object):
|
|||||||
self.domain['id'], config)
|
self.domain['id'], config)
|
||||||
# Try an option that IS in the standard conf, but neither whitelisted
|
# Try an option that IS in the standard conf, but neither whitelisted
|
||||||
# or marked as sensitive
|
# or marked as sensitive
|
||||||
config = {'ldap': {'role_tree_dn': uuid.uuid4().hex}}
|
config = {'identity': {'user_tree_dn': uuid.uuid4().hex}}
|
||||||
self.assertRaises(exception.InvalidDomainConfig,
|
self.assertRaises(exception.InvalidDomainConfig,
|
||||||
self.domain_config_api.create_config,
|
self.domain_config_api.create_config,
|
||||||
self.domain['id'], config)
|
self.domain['id'], config)
|
||||||
|
@ -4,7 +4,6 @@ user = cn=Manager,dc=openstack,dc=org
|
|||||||
password = test
|
password = test
|
||||||
suffix = dc=openstack,dc=org
|
suffix = dc=openstack,dc=org
|
||||||
group_tree_dn = ou=UserGroups,dc=openstack,dc=org
|
group_tree_dn = ou=UserGroups,dc=openstack,dc=org
|
||||||
role_tree_dn = ou=Roles,dc=openstack,dc=org
|
|
||||||
user_tree_dn = ou=Users,dc=openstack,dc=org
|
user_tree_dn = ou=Users,dc=openstack,dc=org
|
||||||
user_enabled_emulation = True
|
user_enabled_emulation = True
|
||||||
user_mail_attribute = mail
|
user_mail_attribute = mail
|
||||||
|
@ -4,7 +4,6 @@ user = cn=Manager,dc=openstack,dc=org
|
|||||||
password = test
|
password = test
|
||||||
suffix = dc=openstack,dc=org
|
suffix = dc=openstack,dc=org
|
||||||
group_tree_dn = ou=UserGroups,dc=openstack,dc=org
|
group_tree_dn = ou=UserGroups,dc=openstack,dc=org
|
||||||
role_tree_dn = ou=Roles,dc=openstack,dc=org
|
|
||||||
user_tree_dn = ou=Users,dc=openstack,dc=org
|
user_tree_dn = ou=Users,dc=openstack,dc=org
|
||||||
user_enabled_emulation = True
|
user_enabled_emulation = True
|
||||||
user_mail_attribute = mail
|
user_mail_attribute = mail
|
||||||
|
@ -4,7 +4,6 @@ user = dc=Manager,dc=openstack,dc=org
|
|||||||
password = test
|
password = test
|
||||||
suffix = dc=openstack,dc=org
|
suffix = dc=openstack,dc=org
|
||||||
group_tree_dn = ou=UserGroups,dc=openstack,dc=org
|
group_tree_dn = ou=UserGroups,dc=openstack,dc=org
|
||||||
role_tree_dn = ou=Roles,dc=openstack,dc=org
|
|
||||||
user_tree_dn = ou=Users,dc=openstack,dc=org
|
user_tree_dn = ou=Users,dc=openstack,dc=org
|
||||||
user_enabled_emulation = True
|
user_enabled_emulation = True
|
||||||
user_mail_attribute = mail
|
user_mail_attribute = mail
|
||||||
|
Loading…
Reference in New Issue
Block a user