Merge "Remove more ldap project references"
This commit is contained in:
Jenkins
Gerrit Code Review
commit
ea4abae947
@ -1671,9 +1671,6 @@ The corresponding entries in the Keystone configuration file are:
|
|||||||
user_tree_dn = ou=Users,dc=openstack,dc=org
|
user_tree_dn = ou=Users,dc=openstack,dc=org
|
||||||
user_objectclass = inetOrgPerson
|
user_objectclass = inetOrgPerson
|
||||||
|
|
||||||
project_tree_dn = ou=Projects,dc=openstack,dc=org
|
|
||||||
project_objectclass = groupOfNames
|
|
||||||
|
|
||||||
role_tree_dn = ou=Roles,dc=openstack,dc=org
|
role_tree_dn = ou=Roles,dc=openstack,dc=org
|
||||||
role_objectclass = organizationalRole
|
role_objectclass = organizationalRole
|
||||||
|
|
||||||
@ -1704,10 +1701,6 @@ and you have only read access, in such case the configuration is:
|
|||||||
user_allow_update = False
|
user_allow_update = False
|
||||||
user_allow_delete = False
|
user_allow_delete = False
|
||||||
|
|
||||||
project_allow_create = True
|
|
||||||
project_allow_update = True
|
|
||||||
project_allow_delete = True
|
|
||||||
|
|
||||||
role_allow_create = True
|
role_allow_create = True
|
||||||
role_allow_update = True
|
role_allow_update = True
|
||||||
role_allow_delete = True
|
role_allow_delete = True
|
||||||
@ -1720,7 +1713,6 @@ look like:
|
|||||||
|
|
||||||
[ldap]
|
[ldap]
|
||||||
user_filter = (memberof=CN=openstack-users,OU=workgroups,DC=openstack,DC=org)
|
user_filter = (memberof=CN=openstack-users,OU=workgroups,DC=openstack,DC=org)
|
||||||
project_filter =
|
|
||||||
role_filter =
|
role_filter =
|
||||||
|
|
||||||
In case that the directory server does not have an attribute enabled of type
|
In case that the directory server does not have an attribute enabled of type
|
||||||
@ -1761,13 +1753,6 @@ specified classes in the LDAP module so you can configure them like:
|
|||||||
user_enabled_mask = 2
|
user_enabled_mask = 2
|
||||||
user_enabled_default = 512
|
user_enabled_default = 512
|
||||||
user_attribute_ignore = tenant_id,tenants
|
user_attribute_ignore = tenant_id,tenants
|
||||||
project_objectclass = groupOfNames
|
|
||||||
project_id_attribute = cn
|
|
||||||
project_member_attribute = member
|
|
||||||
project_name_attribute = ou
|
|
||||||
project_desc_attribute = description
|
|
||||||
project_enabled_attribute = extensionName
|
|
||||||
project_attribute_ignore =
|
|
||||||
role_objectclass = organizationalRole
|
role_objectclass = organizationalRole
|
||||||
role_id_attribute = cn
|
role_id_attribute = cn
|
||||||
role_name_attribute = ou
|
role_name_attribute = ou
|
||||||
@ -1797,14 +1782,13 @@ Enabled Emulation
|
|||||||
-----------------
|
-----------------
|
||||||
|
|
||||||
Some directory servers do not provide any enabled attribute. For these servers,
|
Some directory servers do not provide any enabled attribute. For these servers,
|
||||||
the ``user_enabled_emulation`` and ``project_enabled_emulation`` attributes
|
the ``user_enabled_emulation`` attribute has been created. It is enabled by
|
||||||
have been created. They are enabled by setting their respective flags to True.
|
setting the respective flags to True. Then the attribute
|
||||||
Then the attributes ``user_enabled_emulation_dn`` and
|
``user_enabled_emulation_dn`` may be set to specify how the enabled users are
|
||||||
``project_enabled_emulation_dn`` may be set to specify how the enabled users
|
selected. This attribute works by using a ``groupOfNames`` entry and adding
|
||||||
and projects (tenants) are selected. These attributes work by using a
|
whichever users or that you want enabled to the respective group with the
|
||||||
``groupOfNames`` entry and adding whichever users or projects (tenants) that
|
``member`` attribute. For example, this will mark any user who is a member of
|
||||||
you want enabled to the respective group with the ``member`` attribute. For
|
``enabled_users`` as enabled:
|
||||||
example, this will mark any user who is a member of ``enabled_users`` as enabled:
|
|
||||||
|
|
||||||
.. code-block:: ini
|
.. code-block:: ini
|
||||||
|
|
||||||
@ -1812,15 +1796,14 @@ example, this will mark any user who is a member of ``enabled_users`` as enabled
|
|||||||
user_enabled_emulation = True
|
user_enabled_emulation = True
|
||||||
user_enabled_emulation_dn = cn=enabled_users,cn=groups,dc=openstack,dc=org
|
user_enabled_emulation_dn = cn=enabled_users,cn=groups,dc=openstack,dc=org
|
||||||
|
|
||||||
The default values for user and project (tenant) enabled emulation DN is
|
The default values for user enabled emulation DN is
|
||||||
``cn=enabled_users,$user_tree_dn`` and ``cn=enabled_tenants,$project_tree_dn``
|
``cn=enabled_users,$user_tree_dn``.
|
||||||
respectively.
|
|
||||||
|
|
||||||
If a different LDAP schema is used for group membership, it is possible to use
|
If a different LDAP schema is used for group membership, it is possible to use
|
||||||
the ``group_objectclass`` and ``group_member_attribute`` attributes to
|
the ``group_objectclass`` and ``group_member_attribute`` attributes to
|
||||||
determine membership in the enabled emulation group by setting the
|
determine membership in the enabled emulation group by setting the
|
||||||
``user_enabled_emulation_use_group_config`` and
|
``user_enabled_emulation_use_group_config`` attribute to True.
|
||||||
``project_enabled_emulation_use_group_config`` attributes to True.
|
|
||||||
|
|
||||||
Secure Connection
|
Secure Connection
|
||||||
-----------------
|
-----------------
|
||||||
|
|||||||
@ -1950,24 +1950,3 @@ class EnabledEmuMixIn(BaseLdap):
|
|||||||
if self.enabled_emulation:
|
if self.enabled_emulation:
|
||||||
self._remove_enabled(object_id)
|
self._remove_enabled(object_id)
|
||||||
super(EnabledEmuMixIn, self).delete(object_id)
|
super(EnabledEmuMixIn, self).delete(object_id)
|
||||||
|
|
||||||
|
|
||||||
class ProjectLdapStructureMixin(object):
|
|
||||||
"""Project LDAP Structure shared between LDAP backends.
|
|
||||||
|
|
||||||
This is shared between the resource and assignment LDAP backends.
|
|
||||||
|
|
||||||
"""
|
|
||||||
|
|
||||||
DEFAULT_OU = 'ou=Groups'
|
|
||||||
DEFAULT_STRUCTURAL_CLASSES = []
|
|
||||||
DEFAULT_OBJECTCLASS = 'groupOfNames'
|
|
||||||
DEFAULT_ID_ATTR = 'cn'
|
|
||||||
NotFound = exception.ProjectNotFound
|
|
||||||
notfound_arg = 'project_id' # NOTE(yorik-sar): while options_name = tenant
|
|
||||||
options_name = 'project'
|
|
||||||
attribute_options_names = {'name': 'name',
|
|
||||||
'description': 'desc',
|
|
||||||
'enabled': 'enabled',
|
|
||||||
'domain_id': 'domain_id'}
|
|
||||||
immutable_attrs = ['name']
|
|
||||||
|
|||||||
@ -5,10 +5,7 @@ password = test
|
|||||||
suffix = dc=openstack,dc=org
|
suffix = dc=openstack,dc=org
|
||||||
group_tree_dn = ou=UserGroups,dc=openstack,dc=org
|
group_tree_dn = ou=UserGroups,dc=openstack,dc=org
|
||||||
role_tree_dn = ou=Roles,dc=openstack,dc=org
|
role_tree_dn = ou=Roles,dc=openstack,dc=org
|
||||||
project_tree_dn = ou=Projects,dc=openstack,dc=org
|
|
||||||
user_tree_dn = ou=Users,dc=openstack,dc=org
|
user_tree_dn = ou=Users,dc=openstack,dc=org
|
||||||
project_enabled_emulation = True
|
|
||||||
user_enabled_emulation = True
|
user_enabled_emulation = True
|
||||||
user_mail_attribute = mail
|
user_mail_attribute = mail
|
||||||
use_dumb_member = True
|
use_dumb_member = True
|
||||||
|
|
||||||
|
|||||||
@ -5,9 +5,7 @@ password = test
|
|||||||
suffix = dc=openstack,dc=org
|
suffix = dc=openstack,dc=org
|
||||||
group_tree_dn = ou=UserGroups,dc=openstack,dc=org
|
group_tree_dn = ou=UserGroups,dc=openstack,dc=org
|
||||||
role_tree_dn = ou=Roles,dc=openstack,dc=org
|
role_tree_dn = ou=Roles,dc=openstack,dc=org
|
||||||
project_tree_dn = ou=Projects,dc=openstack,dc=org
|
|
||||||
user_tree_dn = ou=Users,dc=openstack,dc=org
|
user_tree_dn = ou=Users,dc=openstack,dc=org
|
||||||
project_enabled_emulation = True
|
|
||||||
user_enabled_emulation = True
|
user_enabled_emulation = True
|
||||||
user_mail_attribute = mail
|
user_mail_attribute = mail
|
||||||
use_dumb_member = True
|
use_dumb_member = True
|
||||||
|
|||||||
@ -5,9 +5,7 @@ password = test
|
|||||||
suffix = dc=openstack,dc=org
|
suffix = dc=openstack,dc=org
|
||||||
group_tree_dn = ou=UserGroups,dc=openstack,dc=org
|
group_tree_dn = ou=UserGroups,dc=openstack,dc=org
|
||||||
role_tree_dn = ou=Roles,dc=openstack,dc=org
|
role_tree_dn = ou=Roles,dc=openstack,dc=org
|
||||||
project_tree_dn = ou=Projects,dc=openstack,dc=org
|
|
||||||
user_tree_dn = ou=Users,dc=openstack,dc=org
|
user_tree_dn = ou=Users,dc=openstack,dc=org
|
||||||
project_enabled_emulation = True
|
|
||||||
user_enabled_emulation = True
|
user_enabled_emulation = True
|
||||||
user_mail_attribute = mail
|
user_mail_attribute = mail
|
||||||
use_dumb_member = True
|
use_dumb_member = True
|
||||||
|
|||||||
@ -69,9 +69,6 @@ class LiveLDAPIdentity(test_backend_ldap.LDAPIdentity):
|
|||||||
create_object(CONF.ldap.role_tree_dn,
|
create_object(CONF.ldap.role_tree_dn,
|
||||||
{'objectclass': 'organizationalUnit',
|
{'objectclass': 'organizationalUnit',
|
||||||
'ou': 'Roles'})
|
'ou': 'Roles'})
|
||||||
create_object(CONF.ldap.project_tree_dn,
|
|
||||||
{'objectclass': 'organizationalUnit',
|
|
||||||
'ou': 'Projects'})
|
|
||||||
create_object(CONF.ldap.group_tree_dn,
|
create_object(CONF.ldap.group_tree_dn,
|
||||||
{'objectclass': 'organizationalUnit',
|
{'objectclass': 'organizationalUnit',
|
||||||
'ou': 'UserGroups'})
|
'ou': 'UserGroups'})
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user