openstack
/
puppet-keystone
Code Issues Proposed changes

Replace legacy facts and use fact hash

Browse Source 
... because the latest lint no longer allows usage of legacy facts and
top scope fact.

Change-Id: Ie757167eedce6fa1c99d08f96be1173871f21817
changes/05/876005/3
Takashi Kajinami 3 months ago
parent 43331eadcd
commit 486d7f1435
31 changed files with 574 additions and 583 deletions
Show Stats Download Patch File Download Diff File

4
examples/apache_dropin.pp
Unescape Escape View File

@ -34,8 +34,8 @@ class { 'keystone':
}
class { 'keystone::bootstrap':
password => 'ChangeMe',
public_url => "https://${::fqdn}:5000",
admin_url => "https://${::fqdn}:5000",
public_url => "https://${facts['networking']['fqdn']}:5000",
admin_url => "https://${facts['networking']['fqdn']}:5000",
}
keystone_config { 'ssl/enable': value => true }

4
examples/apache_with_paths.pp
Unescape Escape View File

@ -35,8 +35,8 @@ class { 'keystone':
}
class { 'keystone::bootstrap':
password => 'ChangeMe',
public_url => "https://${::fqdn}:443/v3",
admin_url => "https://${::fqdn}:443/v3",
public_url => "https://${facts['networking']['fqdn']}:443/v3",
admin_url => "https://${facts['networking']['fqdn']}:443/v3",
}
keystone_config { 'ssl/enable': ensure => absent }

4
examples/k2k_sp_shib.pp
Unescape Escape View File

@ -53,8 +53,8 @@ class { 'keystone':
class { 'keystone::bootstrap':
password => 'ChangeMe',
public_url => "https://${::fqdn}:5000",
admin_url => "https://${::fqdn}:5000",
public_url => "https://${facts['networking']['fqdn']}:5000",
admin_url => "https://${facts['networking']['fqdn']}:5000",
}
keystone_config { 'ssl/enable': value => true }

116
manifests/cache.pp
Unescape Escape View File

@ -8,99 +8,99 @@
# the cache region. This should not need to be changed unless there
# is another dogpile.cache region with the same configuration name.
# (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*expiration_time*]
# (Optional) Default TTL, in seconds, for any cached item in the
# dogpile.cache region. This applies to any cached method that
# doesn't have an explicit cache expiration time defined for it.
# (integer value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*backend*]
# (Optional) Dogpile.cache backend module. It is recommended that
# Memcache with pooling (oslo_cache.memcache_pool) or Redis
# (dogpile.cache.redis) be used in production deployments. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*backend_argument*]
# (Optional) Arguments supplied to the backend module. Specify this option
# once per argument to be passed to the dogpile.cache backend.
# Example format: "<argname>:<value>". (list value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*proxies*]
# (Optional) Proxy classes to import that will affect the way the
# dogpile.cache backend functions. See the dogpile.cache documentation on
# changing-backend-behavior. (list value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*enabled*]
# (Optional) Global toggle for caching. (boolean value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*debug_cache_backend*]
# (Optional) Extra debugging from the cache backend (cache keys,
# get/set/delete/etc calls). This is only really useful if you need
# to see the specific cache-backend get/set/delete calls with the keys/values.
# Typically this should be left set to false. (boolean value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*memcache_servers*]
# (Optional) Memcache servers in the format of "host:port".
# (dogpile.cache.memcache and oslo_cache.memcache_pool backends only).
# (list value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*memcache_dead_retry*]
# (Optional) Number of seconds memcached server is considered dead before
# it is tried again. (dogpile.cache.memcache and oslo_cache.memcache_pool
# backends only). (integer value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*memcache_socket_timeout*]
# (Optional) Timeout in seconds for every call to a server.
# (dogpile.cache.memcache and oslo_cache.memcache_pool backends only).
# (floating point value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*enable_socket_keepalive*]
# (Optional) Global toggle for the socket keepalive of dogpile's
# pymemcache backend
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*socket_keepalive_idle*]
# (Optional) The time (in seconds) the connection needs to remain idle
# before TCP starts sending keepalive probes. Should be a positive integer
# most greater than zero.
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*socket_keepalive_interval*]
# (Optional) The time (in seconds) between individual keepalive probes.
# Should be a positive integer most greater than zero.
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*socket_keepalive_count*]
# (Optional) The maximum number of keepalive probes TCP should send before
# dropping the connection. Should be a positive integer most greater than
# zero.
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*memcache_pool_maxsize*]
# (Optional) Max total number of open connections to every memcached server.
# (oslo_cache.memcache_pool backend only). (integer value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*memcache_pool_unused_timeout*]
# (Optional) Number of seconds a connection to memcached is held unused
# in the pool before it is closed. (oslo_cache.memcache_pool backend only)
# (integer value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*memcache_pool_connection_get_timeout*]
# (Optional) Number of seconds that an operation will wait to get a memcache
# client connection. (integer value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*manage_backend_package*]
# (Optional) Whether to install the backend package for the cache.
@ -109,18 +109,18 @@
# [*token_caching*]
# (Optional) Toggle for token system caching. This has no effect unless
# cache_backend, cache_enabled and cache_memcache_servers is set.
# Default to $::os_service_default
# Default to $facts['os_service_default']
#
# [*tls_enabled*]
# (Optional) Global toggle for TLS usage when communicating with
# the caching servers.
# Default to $::os_service_default
# Default to $facts['os_service_default']
#
# [*tls_cafile*]
# (Optional) Path to a file of concatenated CA certificates in PEM
# format necessary to establish the caching server's authenticity.
# If tls_enabled is False, this option is ignored.
# Default to $::os_service_default
# Default to $facts['os_service_default']
#
# [*tls_certfile*]
# (Optional) Path to a single file in PEM format containing the
@ -128,84 +128,84 @@
# needed to establish the certificate's authenticity. This file
# is only required when client side authentication is necessary.
# If tls_enabled is False, this option is ignored.
# Default to $::os_service_default
# Default to $facts['os_service_default']
#
# [*tls_keyfile*]
# (Optional) Path to a single file containing the client's private
# key in. Otherwise the private key will be taken from the file
# specified in tls_certfile. If tls_enabled is False, this option
# is ignored.
# Default to $::os_service_default
# Default to $facts['os_service_default']
#
# [*tls_allowed_ciphers*]
# (Optional) Set the available ciphers for sockets created with
# the TLS context. It should be a string in the OpenSSL cipher
# list format. If not specified, all OpenSSL enabled ciphers will
# be available.
# Default to $::os_service_default
# Default to $facts['os_service_default']
#
# [*enable_retry_client*]
# (Optional) Enable retry client mechanisms to handle failure.
# Those mechanisms can be used to wrap all kind of pymemcache
# clients. The wrapper allows you to define how many attempts
# to make and how long to wait between attempts.
# Default to $::os_service_default
# Default to $facts['os_service_default']
#
# [*retry_attempts*]
# (Optional) Number of times to attempt an action before failing.
# Default to $::os_service_default
# Default to $facts['os_service_default']
#
# [*retry_delay*]
# (Optional) Number of seconds to sleep between each attempt.
# Default to $::os_service_default
# Default to $facts['os_service_default']
#
# [*hashclient_retry_attempts*]
# (Optional) Amount of times a client should be tried
# before it is marked dead and removed from the pool in
# the HashClient's internal mechanisms.
# Default to $::os_service_default
# Default to $facts['os_service_default']
#
# [*hashclient_retry_delay*]
# (Optional) Time in seconds that should pass between
# retry attempts in the HashClient's internal mechanisms.
# Default to $::os_service_default
# Default to $facts['os_service_default']
#
# [*dead_timeout*]
# (Optional) Time in seconds before attempting to add a node
# back in the pool in the HashClient's internal mechanisms.
# Default to $::os_service_default
# Default to $facts['os_service_default']
#
class keystone::cache(
$config_prefix = $::os_service_default,
$expiration_time = $::os_service_default,
$backend = $::os_service_default,
$backend_argument = $::os_service_default,
$proxies = $::os_service_default,
$enabled = $::os_service_default,
$debug_cache_backend = $::os_service_default,
$memcache_servers = $::os_service_default,
$memcache_dead_retry = $::os_service_default,
$memcache_socket_timeout = $::os_service_default,
$enable_socket_keepalive = $::os_service_default,
$socket_keepalive_idle = $::os_service_default,
$socket_keepalive_interval = $::os_service_default,
$socket_keepalive_count = $::os_service_default,
$memcache_pool_maxsize = $::os_service_default,
$memcache_pool_unused_timeout = $::os_service_default,
$memcache_pool_connection_get_timeout = $::os_service_default,
$config_prefix = $facts['os_service_default'],
$expiration_time = $facts['os_service_default'],
$backend = $facts['os_service_default'],
$backend_argument = $facts['os_service_default'],
$proxies = $facts['os_service_default'],
$enabled = $facts['os_service_default'],
$debug_cache_backend = $facts['os_service_default'],
$memcache_servers = $facts['os_service_default'],
$memcache_dead_retry = $facts['os_service_default'],
$memcache_socket_timeout = $facts['os_service_default'],
$enable_socket_keepalive = $facts['os_service_default'],
$socket_keepalive_idle = $facts['os_service_default'],
$socket_keepalive_interval = $facts['os_service_default'],
$socket_keepalive_count = $facts['os_service_default'],
$memcache_pool_maxsize = $facts['os_service_default'],
$memcache_pool_unused_timeout = $facts['os_service_default'],
$memcache_pool_connection_get_timeout = $facts['os_service_default'],
$manage_backend_package = true,
$token_caching = $::os_service_default,
$tls_enabled = $::os_service_default,
$tls_cafile = $::os_service_default,
$tls_certfile = $::os_service_default,
$tls_keyfile = $::os_service_default,
$tls_allowed_ciphers = $::os_service_default,
$enable_retry_client = $::os_service_default,
$retry_attempts = $::os_service_default,
$retry_delay = $::os_service_default,
$hashclient_retry_attempts = $::os_service_default,
$hashclient_retry_delay = $::os_service_default,
$dead_timeout = $::os_service_default,
$token_caching = $facts['os_service_default'],
$tls_enabled = $facts['os_service_default'],
$tls_cafile = $facts['os_service_default'],
$tls_certfile = $facts['os_service_default'],
$tls_keyfile = $facts['os_service_default'],
$tls_allowed_ciphers = $facts['os_service_default'],
$enable_retry_client = $facts['os_service_default'],
$retry_attempts = $facts['os_service_default'],
$retry_delay = $facts['os_service_default'],
$hashclient_retry_attempts = $facts['os_service_default'],
$hashclient_retry_delay = $facts['os_service_default'],
$dead_timeout = $facts['os_service_default'],
){
include keystone::deps

24
manifests/cors.pp
Unescape Escape View File

@ -8,41 +8,41 @@
# (Optional) Indicate whether this resource may be shared with the domain
# received in the requests "origin" header.
# (string value)
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
# [*allow_credentials*]
# (Optional) Indicate that the actual request can include user credentials.
# (boolean value)
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
# [*expose_headers*]
# (Optional) Indicate which headers are safe to expose to the API.
# (list value)
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
# [*max_age*]
# (Optional) Maximum cache age of CORS preflight requests.
# (integer value)
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
# [*allow_methods*]
# (Optional) Indicate which methods can be used during the actual request.
# (list value)
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
# [*allow_headers*]
# (Optional) Indicate which header field names may be used during the actual
# request.
# (list value)
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
class keystone::cors (
$allowed_origin = $::os_service_default,
$allow_credentials = $::os_service_default,
$expose_headers = $::os_service_default,
$max_age = $::os_service_default,
$allow_methods = $::os_service_default,
$allow_headers = $::os_service_default,
$allowed_origin = $facts['os_service_default'],
$allow_credentials = $facts['os_service_default'],
$expose_headers = $facts['os_service_default'],
$max_age = $facts['os_service_default'],
$allow_methods = $facts['os_service_default'],
$allow_headers = $facts['os_service_default'],
) {
include keystone::deps

32
manifests/db.pp
Unescape Escape View File

@ -7,7 +7,7 @@
# [*database_db_max_retries*]
# Maximum retries in case of connection error or deadlock error before
# error is raised. Set to -1 to specify an infinite retry count.
# (Optional) Defaults to $::os_service_default
# (Optional) Defaults to $facts['os_service_default']
#
# [*database_connection*]
# Url used to connect to database.
@ -15,44 +15,44 @@
#
# [*database_connection_recycle_time*]
# Timeout when db connections should be reaped.
# (Optional) Defaults to $::os_service_default
# (Optional) Defaults to $facts['os_service_default']
#
# [*database_max_retries*]
# Maximum number of database connection retries during startup.
# Setting -1 implies an infinite retry count.
# (Optional) Defaults to $::os_service_default
# (Optional) Defaults to $facts['os_service_default']
#
# [*database_retry_interval*]
# Interval between retries of opening a database connection.
# (Optional) Defaults to $::os_service_default
# (Optional) Defaults to $facts['os_service_default']
#
# [*database_max_pool_size*]
# Maximum number of SQL connections to keep open in a pool.
# (Optional) Defaults to $::os_service_default
# (Optional) Defaults to $facts['os_service_default']
#
# [*database_max_overflow*]
# If set, use this value for max_overflow with sqlalchemy.
# (Optional) Defaults to $::os_service_default
# (Optional) Defaults to $facts['os_service_default']
#
# [*database_pool_timeout*]
# (Optional) If set, use this value for pool_timeout with SQLAlchemy.
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*mysql_enable_ndb*]
# (Optional) If True, transparently enables support for handling MySQL
# Cluster (NDB).
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
class keystone::db (
$database_db_max_retries = $::os_service_default,
$database_db_max_retries = $facts['os_service_default'],
$database_connection = 'sqlite:////var/lib/keystone/keystone.sqlite',
$database_connection_recycle_time = $::os_service_default,
$database_max_pool_size = $::os_service_default,
$database_max_retries = $::os_service_default,
$database_retry_interval = $::os_service_default,
$database_max_overflow = $::os_service_default,
$database_pool_timeout = $::os_service_default,
$mysql_enable_ndb = $::os_service_default,
$database_connection_recycle_time = $facts['os_service_default'],
$database_max_pool_size = $facts['os_service_default'],
$database_max_retries = $facts['os_service_default'],
$database_retry_interval = $facts['os_service_default'],
$database_max_overflow = $facts['os_service_default'],
$database_pool_timeout = $facts['os_service_default'],
$mysql_enable_ndb = $facts['os_service_default'],
) {
include keystone::deps

8
manifests/federation.pp
Unescape Escape View File

@ -7,16 +7,16 @@
# This setting ensures that keystone only sends token data back to trusted
# servers. This is performed as a precaution, specifically to prevent man-in-
# the-middle (MITM) attacks.
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*remote_id_attribute*]
# (Optional) Value to be used to obtain the entity ID of the Identity
# Provider from the environment.
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
class keystone::federation (
$trusted_dashboards = $::os_service_default,
$remote_id_attribute = $::os_service_default,
$trusted_dashboards = $facts['os_service_default'],
$remote_id_attribute = $facts['os_service_default'],
) {
include keystone::deps

18
manifests/federation/identity_provider.pp
Unescape Escape View File

@ -85,15 +85,15 @@ class keystone::federation::identity_provider(
$certfile = $::keystone::ssl_ca_certs,
$keyfile = $::keystone::ssl_ca_key,
$user = $::keystone::params::user,
$idp_organization_name = $::os_service_default,
$idp_organization_display_name = $::os_service_default,
$idp_organization_url = $::os_service_default,
$idp_contact_company = $::os_service_default,
$idp_contact_name = $::os_service_default,
$idp_contact_surname = $::os_service_default,
$idp_contact_email = $::os_service_default,
$idp_contact_telephone = $::os_service_default,
$idp_contact_type = $::os_service_default,
$idp_organization_name = $facts['os_service_default'],
$idp_organization_display_name = $facts['os_service_default'],
$idp_organization_url = $facts['os_service_default'],
$idp_contact_company = $facts['os_service_default'],
$idp_contact_name = $facts['os_service_default'],
$idp_contact_surname = $facts['os_service_default'],
$idp_contact_email = $facts['os_service_default'],
$idp_contact_telephone = $facts['os_service_default'],
$idp_contact_type = $facts['os_service_default'],
$package_ensure = present,
) inherits keystone::params {

6
manifests/federation/shibboleth.pp
Unescape Escape View File

@ -74,8 +74,8 @@ Apache + Shibboleth SP setups, where a REMOTE_USER env variable is always set, e
'auth/saml2': ensure => absent;
}
if $::osfamily == 'Debian' or ($::osfamily == 'RedHat' and (defined(Yumrepo[$yum_repo_name])) or defined(Package['shibboleth'])) {
if $::osfamily == 'RedHat' {
if $facts['os']['family'] == 'Debian' or ($facts['os']['family'] == 'RedHat' and (defined(Yumrepo[$yum_repo_name])) or defined(Package['shibboleth'])) {
if $facts['os']['family'] == 'RedHat' {
warning('The platform is not officially supported, use at your own risk. Check manifest documentation for more.')
apache::mod { 'shib2':
id => 'mod_shib',
@ -90,7 +90,7 @@ Apache + Shibboleth SP setups, where a REMOTE_USER env variable is always set, e
content => template('keystone/shibboleth.conf.erb'),
order => $template_order,
}
} elsif $::osfamily == 'Redhat' {
} elsif $facts['os']['family'] == 'Redhat' {
if !$suppress_warning {
warning( 'Can not configure Shibboleth in Apache on RedHat OS.Read the Note on this federation/shibboleth.pp' )
}

16
manifests/healthcheck.pp
Unescape Escape View File

@ -6,28 +6,28 @@
#
# [*detailed*]
# (Optional) Show more detailed information as part of the response.
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*backends*]
# (Optional) Additional backends that can perform health checks and report
# that information back as part of a request.
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*disable_by_file_path*]
# (Optional) Check the presence of a file to determine if an application
# is running on a port.
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*disable_by_file_paths*]
# (Optional) Check the presence of a file to determine if an application
# is running on a port. Expects a "port:path" list of strings.
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
class keystone::healthcheck (
$detailed = $::os_service_default,
$backends = $::os_service_default,
$disable_by_file_path = $::os_service_default,
$disable_by_file_paths = $::os_service_default,
$detailed = $facts['os_service_default'],
$backends = $facts['os_service_default'],
$disable_by_file_path = $facts['os_service_default'],
$disable_by_file_paths = $facts['os_service_default'],
) {
include keystone::deps

126
manifests/init.pp
Unescape Escape View File

@ -32,15 +32,15 @@
#
# [*password_hash_algorithm*]
# (Optional) The password hash algorithm to use.
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*password_hash_rounds*]
# (Optional) The amount of rounds to do on the hash.
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*revoke_driver*]
# (Optional) Driver for token revocation.
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*revoke_by_id*]
# (Optional) Revoke token by token identifier.
@ -62,11 +62,11 @@
# (Optional) A URL representing the messaging driver to use and its full
# configuration. Transport URLs take the form:
# transport://user:pass@host1:port[,hostN:portN]/virtual_host
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*rabbit_ha_queues*]
# (Optional) Use HA queues in RabbitMQ.
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*rabbit_heartbeat_timeout_threshold*]
# (Optional) Number of seconds after which the RabbitMQ broker is considered
@ -74,14 +74,14 @@
# Heartbeating helps to ensure the TCP connection to RabbitMQ isn't silently
# closed, resulting in missed or lost messages from the queue.
# (Requires kombu >= 3.0.7 and amqp >= 1.4.0)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*rabbit_heartbeat_rate*]
# (Optional) How often during the rabbit_heartbeat_timeout_threshold period to
# check the heartbeat on RabbitMQ connection. (i.e. rabbit_heartbeat_rate=2
# when rabbit_heartbeat_timeout_threshold=60, the heartbeat will be checked
# every 30 seconds.
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*rabbit_heartbeat_in_pthread*]
# (Optional) EXPERIMENTAL: Run the health check heartbeat thread
@ -91,86 +91,86 @@
# example if the parent process have monkey patched the
# stdlib by using eventlet/greenlet then the heartbeat
# will be run through a green thread.
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*rabbit_use_ssl*]
# (Optional) Connect over SSL for RabbitMQ
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*kombu_ssl_ca_certs*]
# (Optional) SSL certification authority file (valid only if SSL enabled).
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*kombu_ssl_certfile*]
# (Optional) SSL cert file (valid only if SSL enabled).
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*kombu_ssl_keyfile*]
# (Optional) SSL key file (valid only if SSL enabled).
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*kombu_ssl_version*]
# (Optional) SSL version to use (valid only if SSL enabled).
# Valid values are TLSv1, SSLv23 and SSLv3. SSLv2 may be
# available on some distributions.
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*kombu_reconnect_delay*]
# (Optional) How long to wait before reconnecting in response
# to an AMQP consumer cancel notification. (floating point value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*kombu_failover_strategy*]
# (Optional) Determines how the next RabbitMQ node is chosen in case the one
# we are currently connected to becomes unavailable. Takes effect only if
# more than one RabbitMQ node is provided in config. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*kombu_compression*]
# (Optional) Possible values are: gzip, bz2. If not set compression will not
# be used. This option may notbe available in future versions. EXPERIMENTAL.
# (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*notification_transport_url*]
# (Optional) A URL representing the messaging driver to use for notifications
# and its full configuration. Transport URLs take the form:
# transport://user:pass@host1:port[,hostN:portN]/virtual_host
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*notification_driver*]
# RPC driver. Not enabled by default (list value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*notification_topics*]
# (Optional) AMQP topics to publish to when using the RPC notification driver.
# (list value)
# Default to $::os_service_default
# Default to $facts['os_service_default']
#
# [*notification_format*]
# (Optional) Define the notification format for identity service events.
# Valid values are 'basic' and 'cadf'.
# Default to $::os_service_default
# Default to $facts['os_service_default']
#
# [*notification_opt_out*]
# (Optional) Opt out notifications that match the patterns expressed in this
# list.
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*control_exchange*]
# (Optional) AMQP exchange to connect to if using RabbitMQ
# (string value)
# Default to $::os_service_default
# Default to $facts['os_service_default']
#
# [*rpc_response_timeout*]
# (Optional) Seconds to wait for a response from a call.
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*public_endpoint*]
# (Optional) The base public endpoint URL for keystone that are
# advertised to clients (NOTE: this does NOT affect how
# keystone listens for connections) (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*service_name*]
# (Optional) Name of the service that will be providing the
@ -193,7 +193,7 @@
#
# [*max_token_size*]
# (Optional) maximum allowable Keystone token size
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*sync_db*]
# (Optional) Run db sync on the node.
@ -213,7 +213,7 @@
#
# [*fernet_max_active_keys*]
# (Optional) Number of maximum active Fernet keys. Integer > 0.
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*fernet_keys*]
# (Optional) Hash of Keystone fernet keys
@ -274,7 +274,7 @@
#
# [*policy_driver*]
# Policy backend driver. (string value)
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
# [*using_domain_config*]
# (Optional) Eases the use of the keystone_domain_config resource type.
@ -303,11 +303,11 @@
#
# [*enable_proxy_headers_parsing*]
# (Optional) Enable oslo middleware to parse proxy headers.
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
# [*max_request_body_size*]
# (Optional) Set max request body size
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
# [*purge_config*]
# (Optional) Whether to set only the specified config options
@ -316,7 +316,7 @@
#
# [*amqp_durable_queues*]
# (Optional) Whether to use durable queues in AMQP.
# Defaults to $::os_service_default.
# Defaults to $facts['os_service_default'].
#
# DEPRECATED PARAMETERS
#
@ -340,55 +340,55 @@ class keystone(
$catalog_template_file = '/etc/keystone/default_catalog.templates',
$token_provider = 'fernet',
$token_expiration = 3600,
$password_hash_algorithm = $::os_service_default,
$password_hash_rounds = $::os_service_default,
$revoke_driver = $::os_service_default,
$password_hash_algorithm = $facts['os_service_default'],
$password_hash_rounds = $facts['os_service_default'],
$revoke_driver = $facts['os_service_default'],
$revoke_by_id = true,
$public_endpoint = $::os_service_default,
$public_endpoint = $facts['os_service_default'],
$manage_service = true,
$enabled = true,
$rabbit_heartbeat_timeout_threshold = $::os_service_default,
$rabbit_heartbeat_rate = $::os_service_default,
$rabbit_heartbeat_in_pthread = $::os_service_default,
$rabbit_use_ssl = $::os_service_default,
$default_transport_url = $::os_service_default,
$rabbit_ha_queues = $::os_service_default,
$kombu_ssl_ca_certs = $::os_service_default,
$kombu_ssl_certfile = $::os_service_default,
$kombu_ssl_keyfile = $::os_service_default,
$kombu_ssl_version = $::os_service_default,
$kombu_reconnect_delay = $::os_service_default,
$kombu_failover_strategy = $::os_service_default,
$kombu_compression = $::os_service_default,
$notification_transport_url = $::os_service_default,
$notification_driver = $::os_service_default,
$notification_topics = $::os_service_default,
$notification_format = $::os_service_default,
$notification_opt_out = $::os_service_default,
$control_exchange = $::os_service_default,
$rpc_response_timeout = $::os_service_default,
$rabbit_heartbeat_timeout_threshold = $facts['os_service_default'],
$rabbit_heartbeat_rate = $facts['os_service_default'],
$rabbit_heartbeat_in_pthread = $facts['os_service_default'],
$rabbit_use_ssl = $facts['os_service_default'],
$default_transport_url = $facts['os_service_default'],
$rabbit_ha_queues = $facts['os_service_default'],
$kombu_ssl_ca_certs = $facts['os_service_default'],
$kombu_ssl_certfile = $facts['os_service_default'],
$kombu_ssl_keyfile = $facts['os_service_default'],
$kombu_ssl_version = $facts['os_service_default'],
$kombu_reconnect_delay = $facts['os_service_default'],
$kombu_failover_strategy = $facts['os_service_default'],
$kombu_compression = $facts['os_service_default'],
$notification_transport_url = $facts['os_service_default'],
$notification_driver = $facts['os_service_default'],
$notification_topics = $facts['os_service_default'],
$notification_format = $facts['os_service_default'],
$notification_opt_out = $facts['os_service_default'],
$control_exchange = $facts['os_service_default'],
$rpc_response_timeout = $facts['os_service_default'],
$service_name = $::keystone::params::service_name,
$max_token_size = $::os_service_default,
$max_token_size = $facts['os_service_default'],
$sync_db = true,
$enable_fernet_setup = true,
$fernet_key_repository = '/etc/keystone/fernet-keys',
$fernet_max_active_keys = $::os_service_default,
$fernet_max_active_keys = $facts['os_service_default'],
$fernet_keys = false,
$fernet_replace_keys = true,
$enable_credential_setup = true,
$credential_key_repository = '/etc/keystone/credential-keys',
$credential_keys = false,
$default_domain = undef,
$policy_driver = $::os_service_default,
$policy_driver = $facts['os_service_default'],
$using_domain_config = false,
$domain_config_directory = '/etc/keystone/domains',
$keystone_user = $::keystone::params::user,
$keystone_group = $::keystone::params::group,
$manage_policyrcd = false,
$enable_proxy_headers_parsing = $::os_service_default,
$max_request_body_size = $::os_service_default,
$enable_proxy_headers_parsing = $facts['os_service_default'],
$max_request_body_size = $facts['os_service_default'],
$purge_config = false,
$amqp_durable_queues = $::os_service_default,
$amqp_durable_queues = $facts['os_service_default'],
# DEPRECATED PARAMETERS
$catalog_type = undef,
) inherits keystone::params {
@ -408,7 +408,7 @@ class keystone(
# openstacklib policy_rcd only affects debian based systems.
Policy_rcd <| title == 'keystone' |> -> Package['keystone']
Policy_rcd['apache2'] -> Package['httpd']
if ($::operatingsystem == 'Ubuntu') {
if ($facts['os']['name'] == 'Ubuntu') {
$policy_services = 'apache2'
} else {
$policy_services = ['keystone', 'apache2']
@ -526,7 +526,7 @@ class keystone(
case $service_name {
$::keystone::params::service_name: {
if $::operatingsystem != 'Debian' {
if $facts['os']['name'] != 'Debian' {
# TODO(tkajinam): Make this hard-fail
warning('Keystone under Eventlet is no longer supported by this operating system')
}
@ -547,7 +547,7 @@ class keystone(
$service_name_real = $::apache::params::service_name
Service <| title == 'httpd' |> { tag +> 'keystone-service' }
if $::operatingsystem == 'Debian' {
if $facts['os']['name'] == 'Debian' {
service { 'keystone':
ensure => 'stopped',
name => $::keystone::params::service_name,

200
manifests/ldap.pp
Unescape Escape View File

@ -6,60 +6,60 @@
#
# [*url*]
# URL for connecting to the LDAP server. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user*]
# User BindDN to query the LDAP server. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*password*]
# Password for the BindDN to query the LDAP server. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*suffix*]
# LDAP server suffix (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*query_scope*]
# The LDAP scope for queries, this can be either "one"
# (onelevel/singleLevel) or "sub" (subtree/wholeSubtree). (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*page_size*]
# Maximum results per page; a value of zero ("0") disables paging. (integer value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_tree_dn*]
# Search base for users. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_filter*]
# LDAP search filter for users. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_objectclass*]
# LDAP objectclass for users. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_id_attribute*]
# LDAP attribute mapped to user id. WARNING: must not be a multivalued attribute. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_name_attribute*]
# LDAP attribute mapped to user name. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_description_attribute*]
# LDAP attribute mapped to user description. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_mail_attribute*]
# LDAP attribute mapped to user email. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_enabled_attribute*]
# LDAP attribute mapped to user enabled flag. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_enabled_mask*]
# Bitmask integer to indicate the bit that the enabled value is stored in if
@ -67,7 +67,7 @@
# boolean. A value of "0" indicates the mask is not used. If this is not set
# to "0" the typical value is "2". This is typically used when
# "user_enabled_attribute = userAccountControl". (integer value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_enabled_default*]
# Default value to enable users. This should match an appropriate int value
@ -75,7 +75,7 @@
# is enabled or disabled. If this is not set to "True" the typical value is
# "512". This is typically used when "user_enabled_attribute =
# userAccountControl". (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_enabled_invert*]
# Invert the meaning of the boolean enabled values. Some LDAP servers use a
@ -83,30 +83,30 @@
# "user_enabled_invert = true" will allow these lock attributes to be used.
# This setting will have no effect if "user_enabled_mask" or
# "user_enabled_emulation" settings are in use. (boolean value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_attribute_ignore*]
# List of attributes stripped off the user on update. (list value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_default_project_id_attribute*]
# LDAP attribute mapped to default_project_id for users. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_pass_attribute*]
# LDAP attribute mapped to password. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_enabled_emulation*]
# If true, Keystone uses an alternative method to determine if
# a user is enabled or not by checking if they are a member of
# the "user_enabled_emulation_dn" group. (boolean value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_enabled_emulation_dn*]
# DN of the group entry to hold enabled users when using enabled emulation.
# (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_additional_attribute_mapping*]
# List of additional LDAP attributes used for mapping
@ -114,119 +114,119 @@
# format is <ldap_attr>:<user_attr>, where ldap_attr is the
# attribute in the LDAP entry and user_attr is the Identity
# API attribute. (list value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*group_tree_dn*]
# Search base for groups. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*group_filter*]
# LDAP search filter for groups. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*group_objectclass*]
# LDAP objectclass for groups. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*group_id_attribute*]
# LDAP attribute mapped to group id. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*group_name_attribute*]
# LDAP attribute mapped to group name. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*group_member_attribute*]
# LDAP attribute mapped to show group membership. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*group_members_are_ids*]
# LDAP attribute when members of the group object class are keystone user IDs. (boolean value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*group_desc_attribute*]
# LDAP attribute mapped to group description. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*group_attribute_ignore*]
# List of attributes stripped off the group on update. (list value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*group_additional_attribute_mapping*]
# Additional attribute mappings for groups. Attribute mapping
# format is <ldap_attr>:<user_attr>, where ldap_attr is the
# attribute in the LDAP entry and user_attr is the Identity
# API attribute. (list value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*chase_referrals*]
# Whether or not to chase returned referrals. (boolean value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*use_tls*]
# Enable TLS for communicating with LDAP servers. (boolean value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*tls_cacertfile*]
# CA certificate file path for communicating with LDAP servers. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*tls_cacertdir*]
# CA certificate directory path for communicating with LDAP servers. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*tls_req_cert*]
# Valid options for tls_req_cert are demand, never, and allow. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*identity_driver*]
# Identity backend driver. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*use_pool*]
# Enable LDAP connection pooling. (boolean value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*pool_size*]
# Connection pool size. (integer value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*pool_retry_max*]
# Maximum count of reconnect trials. (integer value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*pool_retry_delay*]
# Time span in seconds to wait between two reconnect trials. (floating point value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*pool_connection_timeout*]
# Connector timeout in seconds. Value -1 indicates indefinite wait for response. (integer value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*pool_connection_lifetime*]
# Connection lifetime in seconds. (integer value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*use_auth_pool*]
# Enable LDAP connection pooling for end user authentication.
# If use_pool is disabled, then this setting is meaningless and is not used at all. (boolean value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*auth_pool_size*]
# End user auth connection pool size. (integer value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*auth_pool_connection_lifetime*]
# End user auth connection lifetime in seconds. (integer value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*credential_driver*]
# Credential backend driver. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*assignment_driver*]
# Assignment backend driver. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*package_ensure*]
# (optional) Desired ensure state of packages.
@ -248,56 +248,56 @@
# Copyright 2012 Puppetlabs Inc, unless otherwise noted.
#
class keystone::ldap(
$url = $::os_service_default,
$user = $::os_service_default,
$password = $::os_service_default,
$suffix = $::os_service_default,
$query_scope = $::os_service_default,
$page_size = $::os_service_default,
$user_tree_dn = $::os_service_default,
$user_filter = $::os_service_default,
$user_objectclass = $::os_service_default,
$user_id_attribute = $::os_service_default,
$user_name_attribute = $::os_service_default,
$user_description_attribute = $::os_service_default,
$user_mail_attribute = $::os_service_default,
$user_enabled_attribute = $::os_service_default,
$user_enabled_mask = $::os_service_default,
$user_enabled_default = $::os_service_default,
$user_enabled_invert = $::os_service_default,
$user_attribute_ignore = $::os_service_default,
$user_default_project_id_attribute = $::os_service_default,
$user_pass_attribute = $::os_service_default,
$user_enabled_emulation = $::os_service_default,
$user_enabled_emulation_dn = $::os_service_default,
$user_additional_attribute_mapping = $::os_service_default,
$group_tree_dn = $::os_service_default,
$group_filter = $::os_service_default,
$group_objectclass = $::os_service_default,
$group_id_attribute = $::os_service_default,
$group_name_attribute = $::os_service_default,
$group_member_attribute = $::os_service_default,
$group_members_are_ids = $::os_service_default,
$group_desc_attribute = $::os_service_default,
$group_attribute_ignore = $::os_service_default,
$group_additional_attribute_mapping = $::os_service_default,
$chase_referrals = $::os_service_default,
$use_tls = $::os_service_default,
$tls_cacertdir = $::os_service_default,
$tls_cacertfile = $::os_service_default,
$tls_req_cert = $::os_service_default,
$identity_driver = $::os_service_default,
$assignment_driver = $::os_service_default,
$credential_driver = $::os_service_default,
$use_pool = $::os_service_default,
$pool_size = $::os_service_default,
$pool_retry_max = $::os_service_default,
$pool_retry_delay = $::os_service_default,
$pool_connection_timeout = $::os_service_default,
$pool_connection_lifetime = $::os_service_default,
$use_auth_pool = $::os_service_default,
$auth_pool_size = $::os_service_default,
$auth_pool_connection_lifetime = $::os_service_default,
$url = $facts['os_service_default'],
$user = $facts['os_service_default'],
$password = $facts['os_service_default'],
$suffix = $facts['os_service_default'],
$query_scope = $facts['os_service_default'],
$page_size = $facts['os_service_default'],
$user_tree_dn = $facts['os_service_default'],
$user_filter = $facts['os_service_default'],
$user_objectclass = $facts['os_service_default'],
$user_id_attribute = $facts['os_service_default'],
$user_name_attribute = $facts['os_service_default'],
$user_description_attribute = $facts['os_service_default'],
$user_mail_attribute = $facts['os_service_default'],
$user_enabled_attribute = $facts['os_service_default'],
$user_enabled_mask = $facts['os_service_default'],
$user_enabled_default = $facts['os_service_default'],
$user_enabled_invert = $facts['os_service_default'],
$user_attribute_ignore = $facts['os_service_default'],
$user_default_project_id_attribute = $facts['os_service_default'],
$user_pass_attribute = $facts['os_service_default'],
$user_enabled_emulation = $facts['os_service_default'],
$user_enabled_emulation_dn = $facts['os_service_default'],
$user_additional_attribute_mapping = $facts['os_service_default'],
$group_tree_dn = $facts['os_service_default'],
$group_filter = $facts['os_service_default'],
$group_objectclass = $facts['os_service_default'],
$group_id_attribute = $facts['os_service_default'],
$group_name_attribute = $facts['os_service_default'],
$group_member_attribute = $facts['os_service_default'],
$group_members_are_ids = $facts['os_service_default'],
$group_desc_attribute = $facts['os_service_default'],
$group_attribute_ignore = $facts['os_service_default'],
$group_additional_attribute_mapping = $facts['os_service_default'],
$chase_referrals = $facts['os_service_default'],
$use_tls = $facts['os_service_default'],
$tls_cacertdir = $facts['os_service_default'],
$tls_cacertfile = $facts['os_service_default'],
$tls_req_cert = $facts['os_service_default'],
$identity_driver = $facts['os_service_default'],
$assignment_driver = $facts['os_service_default'],
$credential_driver = $facts['os_service_default'],
$use_pool = $facts['os_service_default'],
$pool_size = $facts['os_service_default'],
$pool_retry_max = $facts['os_service_default'],
$pool_retry_delay = $facts['os_service_default'],
$pool_connection_timeout = $facts['os_service_default'],
$pool_connection_lifetime = $facts['os_service_default'],
$use_auth_pool = $facts['os_service_default'],
$auth_pool_size = $facts['os_service_default'],
$auth_pool_connection_lifetime = $facts['os_service_default'],
$package_ensure = present,
$manage_packages = true,
) inherits keystone::params {

190
manifests/ldap_backend.pp
Unescape Escape View File

@ -9,59 +9,59 @@
#
# [*url*]
# URL for connecting to the LDAP server. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user*]
# User BindDN to query the LDAP server. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*password*]
# Password for the BindDN to query the LDAP server. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*suffix*]
# LDAP server suffix (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*query_scope*]
# The LDAP scope for queries, this can be either "one"
# (onelevel/singleLevel) or "sub" (subtree/wholeSubtree). (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*page_size*]
# Maximum results per page; a value of zero ("0") disables paging. (integer value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_tree_dn*]
# Search base for users. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_filter*]
# LDAP search filter for users. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_objectclass*]
# LDAP objectclass for users. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_id_attribute*]
# LDAP attribute mapped to user id. WARNING: must not be a multivalued attribute. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_name_attribute*]
# LDAP attribute mapped to user name. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_description_attribute*]
# LDAP attribute mapped to user description. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_mail_attribute*]
# LDAP attribute mapped to user email. (string value)
#
# [*user_enabled_attribute*]
# LDAP attribute mapped to user enabled flag. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_enabled_mask*]
# Bitmask integer to indicate the bit that the enabled value is stored in if
@ -69,7 +69,7 @@
# boolean. A value of "0" indicates the mask is not used. If this is not set
# to "0" the typical value is "2". This is typically used when
# "user_enabled_attribute = userAccountControl". (integer value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_enabled_default*]
# Default value to enable users. This should match an appropriate int value
@ -77,7 +77,7 @@
# is enabled or disabled. If this is not set to "True" the typical value is
# "512". This is typically used when "user_enabled_attribute =
# userAccountControl". (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_enabled_invert*]
# Invert the meaning of the boolean enabled values. Some LDAP servers use a
@ -85,30 +85,30 @@
# "user_enabled_invert = true" will allow these lock attributes to be used.
# This setting will have no effect if "user_enabled_mask" or
# "user_enabled_emulation" settings are in use. (boolean value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_attribute_ignore*]
# List of attributes stripped off the user on update. (list value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_default_project_id_attribute*]
# LDAP attribute mapped to default_project_id for users. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_pass_attribute*]
# LDAP attribute mapped to password. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_enabled_emulation*]
# If true, Keystone uses an alternative method to determine if
# a user is enabled or not by checking if they are a member of
# the "user_enabled_emulation_dn" group. (boolean value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_enabled_emulation_dn*]
# DN of the group entry to hold enabled users when using enabled emulation.
# (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*user_additional_attribute_mapping*]
# List of additional LDAP attributes used for mapping
@ -116,75 +116,75 @@
# format is <ldap_attr>:<user_attr>, where ldap_attr is the
# attribute in the LDAP entry and user_attr is the Identity
# API attribute. (list value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*group_tree_dn*]
# Search base for groups. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*group_filter*]
# LDAP search filter for groups. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*group_objectclass*]
# LDAP objectclass for groups. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*group_id_attribute*]
# LDAP attribute mapped to group id. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*group_name_attribute*]
# LDAP attribute mapped to group name. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*group_member_attribute*]
# LDAP attribute mapped to show group membership. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*group_members_are_ids*]
# LDAP attribute when members of the group object class are keystone user IDs. (boolean value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*group_desc_attribute*]
# LDAP attribute mapped to group description. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*group_attribute_ignore*]
# List of attributes stripped off the group on update. (list value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*group_additional_attribute_mapping*]
# Additional attribute mappings for groups. Attribute mapping
# format is <ldap_attr>:<user_attr>, where ldap_attr is the
# attribute in the LDAP entry and user_attr is the Identity
# API attribute. (list value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*group_ad_nesting*]
# If enabled, group queries will use Active Directory specific
# filters for nested groups. (boolean value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*chase_referrals*]
# Whether or not to chase returned referrals. (boolean value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*use_tls*]
# Enable TLS for communicating with LDAP servers. (boolean value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*tls_cacertfile*]
# CA certificate file path for communicating with LDAP servers. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*tls_cacertdir*]
# CA certificate directory path for communicating with LDAP servers. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*tls_req_cert*]
# Valid options for tls_req_cert are demand, never, and allow. (string value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*identity_driver*]
# Identity backend driver. (string value)
@ -192,40 +192,40 @@
#
# [*use_pool*]
# Enable LDAP connection pooling. (boolean value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*pool_size*]
# Connection pool size. (integer value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*pool_retry_max*]
# Maximum count of reconnect trials. (integer value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*pool_retry_delay*]
# Time span in seconds to wait between two reconnect trials. (floating point value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*pool_connection_timeout*]
# Connector timeout in seconds. Value -1 indicates indefinite wait for response. (integer value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*pool_connection_lifetime*]
# Connection lifetime in seconds. (integer value)
# Defaults to $::os_service_default
# Defaults to $facts['os_service_default']
#
# [*use_auth_pool*]
# Enable LDAP connection pooling for end user authentication.