Implement chase referrals parameter

python-ldap follows/chases referrals with anonymous access but
this is disabled by default in Active Directory. There is an
argument to set this to default to disabled but for the moment
just present an option for the user to choose.

For further information see:
https://access.redhat.com/solutions/2309891

Change-Id: I83ff3186ecced663a30a028e153f9259427fa13d
Signed-off-by: Christopher Brown <snecklifter@gmail.com>
This commit is contained in:
Christopher Brown 2016-09-15 14:53:10 +01:00 committed by Alex Schultz
parent 5a1b6400d6
commit 2e32ee5ced
7 changed files with 30 additions and 0 deletions

View File

@ -65,6 +65,7 @@ keystone::ldap_backend { 'domain_1':
role_allow_update => 'True', role_allow_update => 'True',
role_allow_delete => 'True', role_allow_delete => 'True',
identity_driver => 'ldap', identity_driver => 'ldap',
chase_referrals => 'False',
use_tls => 'True', use_tls => 'True',
tls_cacertfile => '/etc/ssl/certs/ca-certificates.crt', tls_cacertfile => '/etc/ssl/certs/ca-certificates.crt',
tls_req_cert => 'demand', tls_req_cert => 'demand',
@ -120,6 +121,7 @@ keystone::ldap_backend { 'domain_2':
role_allow_update => 'True', role_allow_update => 'True',
role_allow_delete => 'True', role_allow_delete => 'True',
identity_driver => 'ldap', identity_driver => 'ldap',
chase_referrals => 'False',
use_tls => 'True', use_tls => 'True',
tls_cacertfile => '/etc/ssl/certs/ca-certificates.crt', tls_cacertfile => '/etc/ssl/certs/ca-certificates.crt',
tls_req_cert => 'demand', tls_req_cert => 'demand',

View File

@ -59,6 +59,7 @@ class { '::keystone:ldap':
role_allow_update => 'True', role_allow_update => 'True',
role_allow_delete => 'True', role_allow_delete => 'True',
identity_driver => 'ldap', identity_driver => 'ldap',
chase_referrals => 'False',
use_tls => 'True', use_tls => 'True',
tls_cacertfile => '/etc/ssl/certs/ca-certificates.crt', tls_cacertfile => '/etc/ssl/certs/ca-certificates.crt',
tls_req_cert => 'demand', tls_req_cert => 'demand',

View File

@ -291,6 +291,10 @@
# API attribute. (list value) # API attribute. (list value)
# Defaults to 'undef' # Defaults to 'undef'
# #
# [*chase_referrals*]
# Whether or not to chase returned referrals. (boolean value)
# Defaults to 'undef'
#
# [*use_tls*] # [*use_tls*]
# Enable TLS for communicating with LDAP servers. (boolean value) # Enable TLS for communicating with LDAP servers. (boolean value)
# Defaults to 'undef' # Defaults to 'undef'
@ -444,6 +448,7 @@ class keystone::ldap(
$group_allow_update = undef, $group_allow_update = undef,
$group_allow_delete = undef, $group_allow_delete = undef,
$group_additional_attribute_mapping = undef, $group_additional_attribute_mapping = undef,
$chase_referrals = undef,
$use_tls = undef, $use_tls = undef,
$tls_cacertdir = undef, $tls_cacertdir = undef,
$tls_cacertfile = undef, $tls_cacertfile = undef,
@ -543,6 +548,7 @@ class keystone::ldap(
'ldap/group_allow_update': value => $group_allow_update; 'ldap/group_allow_update': value => $group_allow_update;
'ldap/group_allow_delete': value => $group_allow_delete; 'ldap/group_allow_delete': value => $group_allow_delete;
'ldap/group_additional_attribute_mapping': value => $group_additional_attribute_mapping; 'ldap/group_additional_attribute_mapping': value => $group_additional_attribute_mapping;
'ldap/chase_referrals': value => $chase_referrals;
'ldap/use_tls': value => $use_tls; 'ldap/use_tls': value => $use_tls;
'ldap/tls_cacertdir': value => $tls_cacertdir; 'ldap/tls_cacertdir': value => $tls_cacertdir;
'ldap/tls_cacertfile': value => $tls_cacertfile; 'ldap/tls_cacertfile': value => $tls_cacertfile;

View File

@ -294,6 +294,10 @@
# API attribute. (list value) # API attribute. (list value)
# Defaults to 'undef' # Defaults to 'undef'
# #
# [*chase_referrals*]
# Whether or not to chase returned referrals. (boolean value)
# Defaults to 'undef'
#
# [*use_tls*] # [*use_tls*]
# Enable TLS for communicating with LDAP servers. (boolean value) # Enable TLS for communicating with LDAP servers. (boolean value)
# Defaults to 'undef' # Defaults to 'undef'
@ -438,6 +442,7 @@ define keystone::ldap_backend(
$group_allow_update = undef, $group_allow_update = undef,
$group_allow_delete = undef, $group_allow_delete = undef,
$group_additional_attribute_mapping = undef, $group_additional_attribute_mapping = undef,
$chase_referrals = undef,
$use_tls = undef, $use_tls = undef,
$tls_cacertdir = undef, $tls_cacertdir = undef,
$tls_cacertfile = undef, $tls_cacertfile = undef,
@ -559,6 +564,7 @@ define keystone::ldap_backend(
"${domain}::ldap/group_allow_update": value => $group_allow_update; "${domain}::ldap/group_allow_update": value => $group_allow_update;
"${domain}::ldap/group_allow_delete": value => $group_allow_delete; "${domain}::ldap/group_allow_delete": value => $group_allow_delete;
"${domain}::ldap/group_additional_attribute_mapping": value => $group_additional_attribute_mapping; "${domain}::ldap/group_additional_attribute_mapping": value => $group_additional_attribute_mapping;
"${domain}::ldap/chase_referrals": value => $chase_referrals;
"${domain}::ldap/use_tls": value => $use_tls; "${domain}::ldap/use_tls": value => $use_tls;
"${domain}::ldap/tls_cacertdir": value => $tls_cacertdir; "${domain}::ldap/tls_cacertdir": value => $tls_cacertdir;
"${domain}::ldap/tls_cacertfile": value => $tls_cacertfile; "${domain}::ldap/tls_cacertfile": value => $tls_cacertfile;

View File

@ -0,0 +1,7 @@
---
features:
- python-ldap follows/chases referrals with
anonymous access but this is disabled by default
in Active Directory. There is an argument to set
this to default to disabled but for the moment
just present an option for the user to choose.

View File

@ -68,6 +68,7 @@ describe 'keystone::ldap' do
:group_allow_update => 'False', :group_allow_update => 'False',
:group_allow_delete => 'False', :group_allow_delete => 'False',
:group_additional_attribute_mapping => '', :group_additional_attribute_mapping => '',
:chase_referrals => 'False',
:use_tls => 'False', :use_tls => 'False',
:tls_cacertdir => '/etc/ssl/certs/', :tls_cacertdir => '/etc/ssl/certs/',
:tls_cacertfile => '/etc/ssl/certs/ca-certificates.crt', :tls_cacertfile => '/etc/ssl/certs/ca-certificates.crt',
@ -162,6 +163,9 @@ describe 'keystone::ldap' do
is_expected.to contain_keystone_config('ldap/group_allow_delete').with_value('False') is_expected.to contain_keystone_config('ldap/group_allow_delete').with_value('False')
is_expected.to contain_keystone_config('ldap/group_additional_attribute_mapping').with_value('') is_expected.to contain_keystone_config('ldap/group_additional_attribute_mapping').with_value('')
# referrals
is_expected.to contain_keystone_config('ldap/chase_referrals').with_value('False')
# tls # tls
is_expected.to contain_keystone_config('ldap/use_tls').with_value('False') is_expected.to contain_keystone_config('ldap/use_tls').with_value('False')
is_expected.to contain_keystone_config('ldap/tls_cacertdir').with_value('/etc/ssl/certs/') is_expected.to contain_keystone_config('ldap/tls_cacertdir').with_value('/etc/ssl/certs/')

View File

@ -77,6 +77,7 @@ describe 'keystone::ldap_backend' do
:group_allow_update => 'False', :group_allow_update => 'False',
:group_allow_delete => 'False', :group_allow_delete => 'False',
:group_additional_attribute_mapping => '', :group_additional_attribute_mapping => '',
:chase_referrals => 'False',
:use_tls => 'False', :use_tls => 'False',
:tls_cacertdir => '/etc/ssl/certs/', :tls_cacertdir => '/etc/ssl/certs/',
:tls_cacertfile => '/etc/ssl/certs/ca-certificates.crt', :tls_cacertfile => '/etc/ssl/certs/ca-certificates.crt',
@ -171,6 +172,9 @@ describe 'keystone::ldap_backend' do
is_expected.to contain_keystone_domain_config('Default::ldap/group_allow_delete').with_value('False') is_expected.to contain_keystone_domain_config('Default::ldap/group_allow_delete').with_value('False')
is_expected.to contain_keystone_domain_config('Default::ldap/group_additional_attribute_mapping').with_value('') is_expected.to contain_keystone_domain_config('Default::ldap/group_additional_attribute_mapping').with_value('')
# referrals
is_expected.to contain_keystone_domain_config('Default::ldap/chase_referrals').with_value('False')
# tls # tls
is_expected.to contain_keystone_domain_config('Default::ldap/use_tls').with_value('False') is_expected.to contain_keystone_domain_config('Default::ldap/use_tls').with_value('False')
is_expected.to contain_keystone_domain_config('Default::ldap/tls_cacertdir').with_value('/etc/ssl/certs/') is_expected.to contain_keystone_domain_config('Default::ldap/tls_cacertdir').with_value('/etc/ssl/certs/')