From 2e32ee5cedd57ae3b16dd38239e6cdd6283fa957 Mon Sep 17 00:00:00 2001 From: Christopher Brown Date: Thu, 15 Sep 2016 14:53:10 +0100 Subject: [PATCH] Implement chase referrals parameter python-ldap follows/chases referrals with anonymous access but this is disabled by default in Active Directory. There is an argument to set this to default to disabled but for the moment just present an option for the user to choose. For further information see: https://access.redhat.com/solutions/2309891 Change-Id: I83ff3186ecced663a30a028e153f9259427fa13d Signed-off-by: Christopher Brown --- examples/ldap_backend.pp | 2 ++ examples/ldap_full.pp | 1 + manifests/ldap.pp | 6 ++++++ manifests/ldap_backend.pp | 6 ++++++ .../notes/implement-chase-referrals-02cc67c98c272f52.yaml | 7 +++++++ spec/classes/keystone_ldap_spec.rb | 4 ++++ spec/defines/keystone_ldap_backend_spec.rb | 4 ++++ 7 files changed, 30 insertions(+) create mode 100644 releasenotes/notes/implement-chase-referrals-02cc67c98c272f52.yaml diff --git a/examples/ldap_backend.pp b/examples/ldap_backend.pp index a4360463f..e8e000c78 100644 --- a/examples/ldap_backend.pp +++ b/examples/ldap_backend.pp @@ -65,6 +65,7 @@ keystone::ldap_backend { 'domain_1': role_allow_update => 'True', role_allow_delete => 'True', identity_driver => 'ldap', + chase_referrals => 'False', use_tls => 'True', tls_cacertfile => '/etc/ssl/certs/ca-certificates.crt', tls_req_cert => 'demand', @@ -120,6 +121,7 @@ keystone::ldap_backend { 'domain_2': role_allow_update => 'True', role_allow_delete => 'True', identity_driver => 'ldap', + chase_referrals => 'False', use_tls => 'True', tls_cacertfile => '/etc/ssl/certs/ca-certificates.crt', tls_req_cert => 'demand', diff --git a/examples/ldap_full.pp b/examples/ldap_full.pp index 4f61b7fe4..5455521e6 100644 --- a/examples/ldap_full.pp +++ b/examples/ldap_full.pp @@ -59,6 +59,7 @@ class { '::keystone:ldap': role_allow_update => 'True', role_allow_delete => 'True', identity_driver => 'ldap', + chase_referrals => 'False', use_tls => 'True', tls_cacertfile => '/etc/ssl/certs/ca-certificates.crt', tls_req_cert => 'demand', diff --git a/manifests/ldap.pp b/manifests/ldap.pp index c34a05ac2..c9cc68f78 100644 --- a/manifests/ldap.pp +++ b/manifests/ldap.pp @@ -291,6 +291,10 @@ # API attribute. (list value) # Defaults to 'undef' # +# [*chase_referrals*] +# Whether or not to chase returned referrals. (boolean value) +# Defaults to 'undef' +# # [*use_tls*] # Enable TLS for communicating with LDAP servers. (boolean value) # Defaults to 'undef' @@ -444,6 +448,7 @@ class keystone::ldap( $group_allow_update = undef, $group_allow_delete = undef, $group_additional_attribute_mapping = undef, + $chase_referrals = undef, $use_tls = undef, $tls_cacertdir = undef, $tls_cacertfile = undef, @@ -543,6 +548,7 @@ class keystone::ldap( 'ldap/group_allow_update': value => $group_allow_update; 'ldap/group_allow_delete': value => $group_allow_delete; 'ldap/group_additional_attribute_mapping': value => $group_additional_attribute_mapping; + 'ldap/chase_referrals': value => $chase_referrals; 'ldap/use_tls': value => $use_tls; 'ldap/tls_cacertdir': value => $tls_cacertdir; 'ldap/tls_cacertfile': value => $tls_cacertfile; diff --git a/manifests/ldap_backend.pp b/manifests/ldap_backend.pp index 367699695..97c28d6f2 100644 --- a/manifests/ldap_backend.pp +++ b/manifests/ldap_backend.pp @@ -294,6 +294,10 @@ # API attribute. (list value) # Defaults to 'undef' # +# [*chase_referrals*] +# Whether or not to chase returned referrals. (boolean value) +# Defaults to 'undef' +# # [*use_tls*] # Enable TLS for communicating with LDAP servers. (boolean value) # Defaults to 'undef' @@ -438,6 +442,7 @@ define keystone::ldap_backend( $group_allow_update = undef, $group_allow_delete = undef, $group_additional_attribute_mapping = undef, + $chase_referrals = undef, $use_tls = undef, $tls_cacertdir = undef, $tls_cacertfile = undef, @@ -559,6 +564,7 @@ define keystone::ldap_backend( "${domain}::ldap/group_allow_update": value => $group_allow_update; "${domain}::ldap/group_allow_delete": value => $group_allow_delete; "${domain}::ldap/group_additional_attribute_mapping": value => $group_additional_attribute_mapping; + "${domain}::ldap/chase_referrals": value => $chase_referrals; "${domain}::ldap/use_tls": value => $use_tls; "${domain}::ldap/tls_cacertdir": value => $tls_cacertdir; "${domain}::ldap/tls_cacertfile": value => $tls_cacertfile; diff --git a/releasenotes/notes/implement-chase-referrals-02cc67c98c272f52.yaml b/releasenotes/notes/implement-chase-referrals-02cc67c98c272f52.yaml new file mode 100644 index 000000000..c1a7ba984 --- /dev/null +++ b/releasenotes/notes/implement-chase-referrals-02cc67c98c272f52.yaml @@ -0,0 +1,7 @@ +--- +features: + - python-ldap follows/chases referrals with + anonymous access but this is disabled by default + in Active Directory. There is an argument to set + this to default to disabled but for the moment + just present an option for the user to choose. diff --git a/spec/classes/keystone_ldap_spec.rb b/spec/classes/keystone_ldap_spec.rb index b03886c5c..2b1892e3a 100644 --- a/spec/classes/keystone_ldap_spec.rb +++ b/spec/classes/keystone_ldap_spec.rb @@ -68,6 +68,7 @@ describe 'keystone::ldap' do :group_allow_update => 'False', :group_allow_delete => 'False', :group_additional_attribute_mapping => '', + :chase_referrals => 'False', :use_tls => 'False', :tls_cacertdir => '/etc/ssl/certs/', :tls_cacertfile => '/etc/ssl/certs/ca-certificates.crt', @@ -162,6 +163,9 @@ describe 'keystone::ldap' do is_expected.to contain_keystone_config('ldap/group_allow_delete').with_value('False') is_expected.to contain_keystone_config('ldap/group_additional_attribute_mapping').with_value('') + # referrals + is_expected.to contain_keystone_config('ldap/chase_referrals').with_value('False') + # tls is_expected.to contain_keystone_config('ldap/use_tls').with_value('False') is_expected.to contain_keystone_config('ldap/tls_cacertdir').with_value('/etc/ssl/certs/') diff --git a/spec/defines/keystone_ldap_backend_spec.rb b/spec/defines/keystone_ldap_backend_spec.rb index ddd0d9683..87e7e6a34 100644 --- a/spec/defines/keystone_ldap_backend_spec.rb +++ b/spec/defines/keystone_ldap_backend_spec.rb @@ -77,6 +77,7 @@ describe 'keystone::ldap_backend' do :group_allow_update => 'False', :group_allow_delete => 'False', :group_additional_attribute_mapping => '', + :chase_referrals => 'False', :use_tls => 'False', :tls_cacertdir => '/etc/ssl/certs/', :tls_cacertfile => '/etc/ssl/certs/ca-certificates.crt', @@ -171,6 +172,9 @@ describe 'keystone::ldap_backend' do is_expected.to contain_keystone_domain_config('Default::ldap/group_allow_delete').with_value('False') is_expected.to contain_keystone_domain_config('Default::ldap/group_additional_attribute_mapping').with_value('') + # referrals + is_expected.to contain_keystone_domain_config('Default::ldap/chase_referrals').with_value('False') + # tls is_expected.to contain_keystone_domain_config('Default::ldap/use_tls').with_value('False') is_expected.to contain_keystone_domain_config('Default::ldap/tls_cacertdir').with_value('/etc/ssl/certs/')