From 64c5e31e040dc50978fe93780450e73361cc6371 Mon Sep 17 00:00:00 2001 From: Tin Lam Date: Tue, 17 Apr 2018 00:39:24 -0500 Subject: [PATCH] Excise deprecated or removed LDAP options Some of the LDAP configurations were deprecated in N- or O-release have been since removed, namely the option to allow for write operations in LDAP. This is causing some issue with more recent releases of keystone as discovered in [0]. This patch set removes them from the example to avoid the errors for more recent releases without impacting N- or O-releases as they were already deprecated at that point. Also, this adds in a configuration sample that bootstraps an LDAP domain by default. [0] https://review.openstack.org/#/c/561751/ Change-Id: Ie8f23cd61dad1860a41422264945c169f0488729 Signed-off-by: Tin Lam --- tools/overrides/keystone/bootstrap_ldap.yaml | 51 +++++++++++++++++++ .../keystone/ldap_domain_config.yaml | 3 -- 2 files changed, 51 insertions(+), 3 deletions(-) create mode 100644 tools/overrides/keystone/bootstrap_ldap.yaml diff --git a/tools/overrides/keystone/bootstrap_ldap.yaml b/tools/overrides/keystone/bootstrap_ldap.yaml new file mode 100644 index 0000000000..6f2895811b --- /dev/null +++ b/tools/overrides/keystone/bootstrap_ldap.yaml @@ -0,0 +1,51 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# NOTE(lamt): This configuration is used to demonstrate how you would bootstrap +# a domain (named "default") that is backed by LDAP. This can be used for +# demo and testing purposes, but care should be taken if additional domain is +# added to keystone. There can only be 1 domain that is SQL-backed in this +# scenario, as keystone currently cannot support multiple SQL-backed domains if +# the original bootstrapped domain is LDAP-based. + +conf: + keystone: + identity: + driver: ldap + ldap: + url: "ldap://ldap.openstack.svc.cluster.local:389" + user: "cn=admin,dc=cluster,dc=local" + password: password + suffix: "dc=cluster,dc=local" + user_attribute_ignore: "enabled,email,tenants,default_project_id" + query_scope: sub + user_enabled_emulation: True + user_enabled_emulation_dn: "cn=overwatch,ou=Groups,dc=cluster,dc=local" + user_tree_dn: "ou=People,dc=cluster,dc=local" + user_enabled_mask: 2 + user_enabled_default: 512 + user_name_attribute: cn + user_id_attribute: sn + user_mail_attribute: mail + user_pass_attribute: userPassword + group_tree_dn: "ou=Groups,dc=cluster,dc=local" +endpoints: + identity: + auth: + admin: + username: bob + password: password + test: + username: bob + password: password diff --git a/tools/overrides/keystone/ldap_domain_config.yaml b/tools/overrides/keystone/ldap_domain_config.yaml index 774938bb3f..b0a4481915 100644 --- a/tools/overrides/keystone/ldap_domain_config.yaml +++ b/tools/overrides/keystone/ldap_domain_config.yaml @@ -41,6 +41,3 @@ conf: user_mail_attribute: mail user_pass_attribute: userPassword group_tree_dn: "ou=Groups,dc=cluster,dc=local" - user_allow_create: False - user_allow_delete: False - user_allow_update: False