puppet-keystone/examples/ldap_identity.pp

# Example using LDAP to manage user identity only.
# This setup will not allow changes to users.

# Ensure this matches what is in LDAP or keystone will try to recreate
# the admin user
class { '::keystone::roles::admin':
  email    => 'test@example.com',
  password => 'ChangeMe',
}

# You can test this connection with ldapsearch first to ensure it works.
# This was tested against a FreeIPA box, you will likely need to change the
# attributes to match your configuration.
class { '::keystone:ldap':
  identity_driver     => 'ldap',
  url                 => 'ldap://ldap.example.com:389',
  user                => 'uid=bind,cn=users,cn=accounts,dc=example,dc=com',
  password            => 'SecretPass',
  suffix              => 'dc=example,dc=com',
  query_scope         => 'sub',
  user_tree_dn        => 'cn=users,cn=accounts,dc=example,dc=com',
  user_id_attribute   => 'uid',
  user_name_attribute => 'uid',
  user_mail_attribute => 'mail',
  user_allow_create   => 'False',
  user_allow_update   => 'False',
  user_allow_delete   => 'False'
}
Full support for Keystone LDAP integration Adding full support for integrating Keystone via LDAP. Enables support for managing all LDAP related Keystone options. - Add two examples of LDAP configuration, although LDAP environments are highly variable, these will help get everyone started - Modify the keystone::ldap class to support all LDAP related options - Check sane defaults in the keystone::ldap class to hopefully reduce mistakes - Add a dependency on the python-ldap package - Modify the LDAP test to match the new class - Make the default-tenant optional since some LDAP backends do not support this Change-Id: Ie6879eb4816fd2b906f72cac8deb3b62bd4b2430 2014-03-25 10:07:45 -06:00			`# Example using LDAP to manage user identity only.`
			`# This setup will not allow changes to users.`

			`# Ensure this matches what is in LDAP or keystone will try to recreate`
			`# the admin user`
Add Puppet 4.x lint checks The puppet-lint requirement is now changed, so we can use puppet-lint plugins. Most of these plugins are for 4.x compat, but some just catch common errors. Change-Id: I988929331e3f0cbef5e10ec9116cdba9ded16967 2015-03-15 16:36:42 +01:00			`class { '::keystone::roles::admin':`
Full support for Keystone LDAP integration Adding full support for integrating Keystone via LDAP. Enables support for managing all LDAP related Keystone options. - Add two examples of LDAP configuration, although LDAP environments are highly variable, these will help get everyone started - Modify the keystone::ldap class to support all LDAP related options - Check sane defaults in the keystone::ldap class to hopefully reduce mistakes - Add a dependency on the python-ldap package - Modify the LDAP test to match the new class - Make the default-tenant optional since some LDAP backends do not support this Change-Id: Ie6879eb4816fd2b906f72cac8deb3b62bd4b2430 2014-03-25 10:07:45 -06:00			`email => 'test@example.com',`
			`password => 'ChangeMe',`
			`}`

			`# You can test this connection with ldapsearch first to ensure it works.`
			`# This was tested against a FreeIPA box, you will likely need to change the`
			`# attributes to match your configuration.`
Add Puppet 4.x lint checks The puppet-lint requirement is now changed, so we can use puppet-lint plugins. Most of these plugins are for 4.x compat, but some just catch common errors. Change-Id: I988929331e3f0cbef5e10ec9116cdba9ded16967 2015-03-15 16:36:42 +01:00			`class { '::keystone:ldap':`
use stevedore names when possible and cleanup ldap testing Instead of using long backend/drivers name, use short name and stevedore will load plugins for us. It will prevent this kind of message in logs: Failed to load 'keystone.catalog.backends.sql.Catalog' using stevedore: No 'keystone.catalog' driver found, Also cleanup unit and functional tests that were setting wrong credential & assignment drivers. Change-Id: Id3b8ed63ef9a821eba5374af7ed0fd1c8d755e09 2016-02-26 10:03:15 -05:00			`identity_driver => 'ldap',`
Add missing puppetdoc and lint all parameter documentation Un-pin puppet-lint gem and add puppet-lint-param-docs, this commit also add missing puppetdoc and fixes lint issues. Change-Id: I1eefc743c68c75eb54a65b3cc539922ef3a3b04d 2015-03-15 16:23:09 +01:00			`url => 'ldap://ldap.example.com:389',`
			`user => 'uid=bind,cn=users,cn=accounts,dc=example,dc=com',`
			`password => 'SecretPass',`
			`suffix => 'dc=example,dc=com',`
			`query_scope => 'sub',`
			`user_tree_dn => 'cn=users,cn=accounts,dc=example,dc=com',`
			`user_id_attribute => 'uid',`
			`user_name_attribute => 'uid',`
			`user_mail_attribute => 'mail',`
			`user_allow_create => 'False',`
			`user_allow_update => 'False',`
			`user_allow_delete => 'False'`
Full support for Keystone LDAP integration Adding full support for integrating Keystone via LDAP. Enables support for managing all LDAP related Keystone options. - Add two examples of LDAP configuration, although LDAP environments are highly variable, these will help get everyone started - Modify the keystone::ldap class to support all LDAP related options - Check sane defaults in the keystone::ldap class to hopefully reduce mistakes - Add a dependency on the python-ldap package - Modify the LDAP test to match the new class - Make the default-tenant optional since some LDAP backends do not support this Change-Id: Ie6879eb4816fd2b906f72cac8deb3b62bd4b2430 2014-03-25 10:07:45 -06:00			`}`