Implement chase referrals parameter

python-ldap follows/chases referrals with anonymous access but this is disabled by default in Active Directory. There is an argument to set this to default to disabled but for the moment just present an option for the user to choose. For further information see: https://access.redhat.com/solutions/2309891 Change-Id: I83ff3186ecced663a30a028e153f9259427fa13d Signed-off-by: Christopher Brown <snecklifter@gmail.com>
2016-09-15 14:53:10 +01:00 · 2016-09-15 14:53:10 +01:00 · 2e32ee5ced
commit 2e32ee5ced
parent 5a1b6400d6
7 changed files with 30 additions and 0 deletions
--- a/examples/ldap_backend.pp
+++ b/examples/ldap_backend.pp
@ -65,6 +65,7 @@ keystone::ldap_backend { 'domain_1':
  role_allow_update            => 'True',
  role_allow_delete            => 'True',
  identity_driver              => 'ldap',
+  chase_referrals              => 'False',
  use_tls                      => 'True',
  tls_cacertfile               => '/etc/ssl/certs/ca-certificates.crt',
  tls_req_cert                 => 'demand',
@ -120,6 +121,7 @@ keystone::ldap_backend { 'domain_2':
  role_allow_update            => 'True',
  role_allow_delete            => 'True',
  identity_driver              => 'ldap',
+  chase_referrals              => 'False',
  use_tls                      => 'True',
  tls_cacertfile               => '/etc/ssl/certs/ca-certificates.crt',
  tls_req_cert                 => 'demand',
--- a/examples/ldap_full.pp
+++ b/examples/ldap_full.pp
@ -59,6 +59,7 @@ class { '::keystone:ldap':
  role_allow_update            => 'True',
  role_allow_delete            => 'True',
  identity_driver              => 'ldap',
+  chase_referrals              => 'False',
  use_tls                      => 'True',
  tls_cacertfile               => '/etc/ssl/certs/ca-certificates.crt',
  tls_req_cert                 => 'demand',
--- a/manifests/ldap.pp
+++ b/manifests/ldap.pp
@ -291,6 +291,10 @@
 #   API attribute. (list value)
 #   Defaults to 'undef'
 #
+# [*chase_referrals*]
+#   Whether or not to chase returned referrals. (boolean value)
+#   Defaults to 'undef'
+#
 # [*use_tls*]
 #   Enable TLS for communicating with LDAP servers. (boolean value)
 #   Defaults to 'undef'
@ -444,6 +448,7 @@ class keystone::ldap(
  $group_allow_update                  = undef,
  $group_allow_delete                  = undef,
  $group_additional_attribute_mapping  = undef,
+  $chase_referrals                     = undef,
  $use_tls                             = undef,
  $tls_cacertdir                       = undef,
  $tls_cacertfile                      = undef,
@ -543,6 +548,7 @@ class keystone::ldap(
    'ldap/group_allow_update':                   value => $group_allow_update;
    'ldap/group_allow_delete':                   value => $group_allow_delete;
    'ldap/group_additional_attribute_mapping':   value => $group_additional_attribute_mapping;
+    'ldap/chase_referrals':                      value => $chase_referrals;
    'ldap/use_tls':                              value => $use_tls;
    'ldap/tls_cacertdir':                        value => $tls_cacertdir;
    'ldap/tls_cacertfile':                       value => $tls_cacertfile;
--- a/manifests/ldap_backend.pp
+++ b/manifests/ldap_backend.pp
@ -294,6 +294,10 @@
 #   API attribute. (list value)
 #   Defaults to 'undef'
 #
+# [*chase_referrals*]
+#   Whether or not to chase returned referrals. (boolean value)
+#   Defaults to 'undef'
+#
 # [*use_tls*]
 #   Enable TLS for communicating with LDAP servers. (boolean value)
 #   Defaults to 'undef'
@ -438,6 +442,7 @@ define keystone::ldap_backend(
  $group_allow_update                  = undef,
  $group_allow_delete                  = undef,
  $group_additional_attribute_mapping  = undef,
+  $chase_referrals                     = undef,
  $use_tls                             = undef,
  $tls_cacertdir                       = undef,
  $tls_cacertfile                      = undef,
@ -559,6 +564,7 @@ define keystone::ldap_backend(
    "${domain}::ldap/group_allow_update":                   value => $group_allow_update;
    "${domain}::ldap/group_allow_delete":                   value => $group_allow_delete;
    "${domain}::ldap/group_additional_attribute_mapping":   value => $group_additional_attribute_mapping;
+    "${domain}::ldap/chase_referrals":                      value => $chase_referrals;
    "${domain}::ldap/use_tls":                              value => $use_tls;
    "${domain}::ldap/tls_cacertdir":                        value => $tls_cacertdir;
    "${domain}::ldap/tls_cacertfile":                       value => $tls_cacertfile;
--- a/releasenotes/notes/implement-chase-referrals-02cc67c98c272f52.yaml
+++ b/releasenotes/notes/implement-chase-referrals-02cc67c98c272f52.yaml
@ -0,0 +1,7 @@
+---
+features:
+  - python-ldap follows/chases referrals with
+    anonymous access but this is disabled by default
+    in Active Directory. There is an argument to set
+    this to default to disabled but for the moment
+    just present an option for the user to choose.
--- a/spec/classes/keystone_ldap_spec.rb
+++ b/spec/classes/keystone_ldap_spec.rb
@ -68,6 +68,7 @@ describe 'keystone::ldap' do
        :group_allow_update => 'False',
        :group_allow_delete => 'False',
        :group_additional_attribute_mapping => '',
+        :chase_referrals => 'False',
        :use_tls => 'False',
        :tls_cacertdir => '/etc/ssl/certs/',
        :tls_cacertfile => '/etc/ssl/certs/ca-certificates.crt',
@ -162,6 +163,9 @@ describe 'keystone::ldap' do
      is_expected.to contain_keystone_config('ldap/group_allow_delete').with_value('False')
      is_expected.to contain_keystone_config('ldap/group_additional_attribute_mapping').with_value('')

+      # referrals
+      is_expected.to contain_keystone_config('ldap/chase_referrals').with_value('False')
+
      # tls
      is_expected.to contain_keystone_config('ldap/use_tls').with_value('False')
      is_expected.to contain_keystone_config('ldap/tls_cacertdir').with_value('/etc/ssl/certs/')
--- a/spec/defines/keystone_ldap_backend_spec.rb
+++ b/spec/defines/keystone_ldap_backend_spec.rb
@ -77,6 +77,7 @@ describe 'keystone::ldap_backend' do
          :group_allow_update => 'False',
          :group_allow_delete => 'False',
          :group_additional_attribute_mapping => '',
+          :chase_referrals => 'False',
          :use_tls => 'False',
          :tls_cacertdir => '/etc/ssl/certs/',
          :tls_cacertfile => '/etc/ssl/certs/ca-certificates.crt',
@ -171,6 +172,9 @@ describe 'keystone::ldap_backend' do
        is_expected.to contain_keystone_domain_config('Default::ldap/group_allow_delete').with_value('False')
        is_expected.to contain_keystone_domain_config('Default::ldap/group_additional_attribute_mapping').with_value('')

+        # referrals
+        is_expected.to contain_keystone_domain_config('Default::ldap/chase_referrals').with_value('False')
+
        # tls
        is_expected.to contain_keystone_domain_config('Default::ldap/use_tls').with_value('False')
        is_expected.to contain_keystone_domain_config('Default::ldap/tls_cacertdir').with_value('/etc/ssl/certs/')