openstack/puppet-keystone
Code Issues Proposed changes

Deprecate unused parameters

Browse Source 
Keystone deprecated the project and role ldap drivers in Kilo [0] and
removed it in Mitaka.

We can simplify the puppet variables by staging these options for
removal like we did with writeable user and group support:

  https://review.opendev.org/#/c/695079/

[0] https://docs.openstack.org/releasenotes/keystone/mitaka.html#deprecation-notes

Co-Authored-By: Dave Wilde <dwilde@redhat.com>

Change-Id: I8c4d6e695597548fff49a14b070bf4f96596d0a9
This commit is contained in:
Lance Bragstad 2020-03-18 18:12:00 +00:00
parent 1081ac51db
commit e9bb58efcf
3 changed files with 308 additions and 242 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

455
manifests/ldap_backend.pp
View File

@ -118,123 +118,6 @@
# API attribute. (list value)
# Defaults to 'undef'
#
# [*project_tree_dn*]
# Search base for projects (string value)
# Defaults to 'undef'
#
# [*project_filter*]
# LDAP search filter for projects. (string value)
# Defaults to 'undef'
#
# [*project_objectclass*]
# LDAP objectclass for projects. (string value)
# Defaults to 'undef'
#
# [*project_id_attribute*]
# LDAP attribute mapped to project id. (string value)
# Defaults to 'undef'
#
# [*project_member_attribute*]
# LDAP attribute mapped to project membership for user. (string value)
# Defaults to 'undef'
#
# [*project_name_attribute*]
# LDAP attribute mapped to project name. (string value)
# Defaults to 'undef'
#
# [*project_desc_attribute*]
# LDAP attribute mapped to project description. (string value)
# Defaults to 'undef'
#
# [*project_enabled_attribute*]
# LDAP attribute mapped to project enabled. (string value)
# Defaults to 'undef'
#
# [*project_domain_id_attribute*]
# LDAP attribute mapped to project domain_id. (string value)
# Defaults to 'undef'
#
# [*project_attribute_ignore*]
# List of attributes stripped off the project on update. (list value)
# Defaults to 'undef'
#
# [*project_allow_create*]
# Allow project creation in LDAP backend. (boolean value)
# Defaults to 'undef'
#
# [*project_allow_update*]
# Allow project update in LDAP backend. (boolean value)
# Defaults to 'undef'
#
# [*project_allow_delete*]
# Allow project deletion in LDAP backend. (boolean value)
# Defaults to 'undef'
#
# [*project_enabled_emulation*]
# If true, Keystone uses an alternative method to determine if
# a project is enabled or not by checking if they are a member
# of the "project_enabled_emulation_dn" group. (boolean value)
# Defaults to 'undef'
#
# [*project_enabled_emulation_dn*]
# DN of the group entry to hold enabled projects when using
# enabled emulation. (string value)
# Defaults to 'undef'
#
# [*project_additional_attribute_mapping*]
# Additional attribute mappings for projects. Attribute
# mapping format is <ldap_attr>:<user_attr>, where ldap_attr
# is the attribute in the LDAP entry and user_attr is the
# Identity API attribute. (list value)
# Defaults to 'undef'
#
# [*role_tree_dn*]
# Search base for roles. (string value)
# Defaults to 'undef'
#
# [*role_filter*]
# LDAP search filter for roles. (string value)
# Defaults to 'undef'
#
# [*role_objectclass*]
# LDAP objectclass for roles. (string value)
# Defaults to 'undef'
#
# [*role_id_attribute*]
# LDAP attribute mapped to role id. (string value)
# Defaults to 'undef'
#
# [*role_name_attribute*]
# LDAP attribute mapped to role name. (string value)
# Defaults to 'undef'
#
# [*role_member_attribute*]
# LDAP attribute mapped to role membership. (string value)
# Defaults to 'undef'
#
# [*role_attribute_ignore*]
# List of attributes stripped off the role on update. (list value)
# Defaults to 'undef'
#
# [*role_allow_create*]
# Allow role creation in LDAP backend. (boolean value)
# Defaults to 'undef'
#
# [*role_allow_update*]
# Allow role update in LDAP backend. (boolean value)
# Defaults to 'undef'
#
# [*role_allow_delete*]
# Allow role deletion in LDAP backend. (boolean value)
# Defaults to 'undef'
#
# [*role_additional_attribute_mapping*]
# Additional attribute mappings for roles. Attribute mapping
# format is <ldap_attr>:<user_attr>, where ldap_attr is the
# attribute in the LDAP entry and user_attr is the Identity
# API attribute. (list value)
# Defaults to 'undef'
#
# [*group_tree_dn*]
# Search base for groups. (string value)
# Defaults to 'undef'
@ -305,15 +188,7 @@
#
# [*identity_driver*]
# Identity backend driver. (string value)
# Defaults to 'ldap'
#
# [*credential_driver*]
# Credential backend driver. (string value)
# Defaults to 'undef'
#
# [*assignment_driver*]
# Assignment backend driver. (string value)
# Defaults to 'undef'
# Defaults to 'ldap''
#
# [*use_pool*]
# Enable LDAP connection pooling. (boolean value)
@ -369,6 +244,131 @@
#
# === DEPRECATED group/name
#
# [*assignment_driver*]
# Assignment backend driver. (string value)
# Defaults to 'undef'
#
# [*credential_driver*]
# Credential backend driver. (string value)
# Defaults to 'undef'
#
# [*project_allow_create*]
# Allow project creation in LDAP backend. (boolean value)
# Defaults to 'undef'
#
# [*project_allow_update*]
# Allow project update in LDAP backend. (boolean value)
# Defaults to 'undef'
#
# [*project_allow_delete*]
# Allow project deletion in LDAP backend. (boolean value)
# Defaults to 'undef'
#
# [*project_tree_dn*]
# Search base for projects (string value)
# Defaults to 'undef'
#
# [*project_filter*]
# LDAP search filter for projects. (string value)
# Defaults to 'undef'
#
# [*project_objectclass*]
# LDAP objectclass for projects. (string value)
# Defaults to 'undef'
#
# [*project_id_attribute*]
# LDAP attribute mapped to project id. (string value)
# Defaults to 'undef'
#
# [*project_member_attribute*]
# LDAP attribute mapped to project membership for user. (string value)
# Defaults to 'undef'
#
# [*project_name_attribute*]
# LDAP attribute mapped to project name. (string value)
# Defaults to 'undef'
#
# [*project_desc_attribute*]
# LDAP attribute mapped to project description. (string value)
# Defaults to 'undef'
#
# [*project_enabled_attribute*]
# LDAP attribute mapped to project enabled. (string value)
# Defaults to 'undef'
#
# [*project_domain_id_attribute*]
# LDAP attribute mapped to project domain_id. (string value)
# Defaults to 'undef'
#
# [*project_attribute_ignore*]
# List of attributes stripped off the project on update. (list value)
# Defaults to 'undef'
#
# [*project_enabled_emulation*]
# If true, Keystone uses an alternative method to determine if
# a project is enabled or not by checking if they are a member
# of the "project_enabled_emulation_dn" group. (boolean value)
# Defaults to 'undef'
#
# [*project_enabled_emulation_dn*]
# DN of the group entry to hold enabled projects when using
# enabled emulation. (string value)
# Defaults to 'undef'
#
# [*project_additional_attribute_mapping*]
# Additional attribute mappings for projects. Attribute
# mapping format is <ldap_attr>:<user_attr>, where ldap_attr
# is the attribute in the LDAP entry and user_attr is the
# Identity API attribute. (list value)
# Defaults to 'undef'
#
# [*role_allow_create*]
# Allow role creation in LDAP backend. (boolean value)
# Defaults to 'undef'
#
# [*role_allow_update*]
# Allow role update in LDAP backend. (boolean value)
# Defaults to 'undef'
#
# [*role_allow_delete*]
# Allow role deletion in LDAP backend. (boolean value)
# Defaults to 'undef'
#
# [*role_tree_dn*]
# Search base for roles. (string value)
# Defaults to 'undef'
#
# [*role_filter*]
# LDAP search filter for roles. (string value)
# Defaults to 'undef'
#
# [*role_objectclass*]
# LDAP objectclass for roles. (string value)
# Defaults to 'undef'
#
# [*role_id_attribute*]
# LDAP attribute mapped to role id. (string value)
# Defaults to 'undef'
#
# [*role_name_attribute*]
# LDAP attribute mapped to role name. (string value)
# Defaults to 'undef'
#
# [*role_member_attribute*]
# LDAP attribute mapped to role membership. (string value)
# Defaults to 'undef'
#
# [*role_attribute_ignore*]
# List of attributes stripped off the role on update. (list value)
# Defaults to 'undef'
#
# [*role_additional_attribute_mapping*]
# Additional attribute mappings for roles. Attribute mapping
# format is <ldap_attr>:<user_attr>, where ldap_attr is the
# attribute in the LDAP entry and user_attr is the Identity
# API attribute. (list value)
# Defaults to 'undef'
#
# [*user_allow_create*]
# Allow user creation in LDAP backend. (boolean value)
# Defaults to 'undef'
@ -419,33 +419,6 @@ define keystone::ldap_backend(
$user_enabled_emulation = undef,
$user_enabled_emulation_dn = undef,
$user_additional_attribute_mapping = undef,
$project_tree_dn = undef,
$project_filter = undef,
$project_objectclass = undef,
$project_id_attribute = undef,
$project_member_attribute = undef,
$project_desc_attribute = undef,
$project_name_attribute = undef,
$project_enabled_attribute = undef,
$project_domain_id_attribute = undef,
$project_attribute_ignore = undef,
$project_allow_create = undef,
$project_allow_update = undef,
$project_allow_delete = undef,
$project_enabled_emulation = undef,
$project_enabled_emulation_dn = undef,
$project_additional_attribute_mapping = undef,
$role_tree_dn = undef,
$role_filter = undef,
$role_objectclass = undef,
$role_id_attribute = undef,
$role_name_attribute = undef,
$role_member_attribute = undef,
$role_attribute_ignore = undef,
$role_allow_create = undef,
$role_allow_update = undef,
$role_allow_delete = undef,
$role_additional_attribute_mapping = undef,
$group_tree_dn = undef,
$group_filter = undef,
$group_objectclass = undef,
@ -463,8 +436,6 @@ define keystone::ldap_backend(
$tls_cacertfile = undef,
$tls_req_cert = undef,
$identity_driver = 'ldap',
$assignment_driver = undef,
$credential_driver = undef,
$use_pool = undef,
$pool_size = undef,
$pool_retry_max = undef,
@ -478,6 +449,35 @@ define keystone::ldap_backend(
$manage_packages = true,
$create_domain_entry = false,
# DEPRECATED PARAMETERS
$assignment_driver = undef,
$credential_driver = undef,
$project_allow_create = undef,
$project_allow_update = undef,
$project_allow_delete = undef,
$project_tree_dn = undef,
$project_filter = undef,
$project_objectclass = undef,
$project_id_attribute = undef,
$project_member_attribute = undef,
$project_desc_attribute = undef,
$project_name_attribute = undef,
$project_enabled_attribute = undef,
$project_domain_id_attribute = undef,
$project_attribute_ignore = undef,
$project_enabled_emulation = undef,
$project_enabled_emulation_dn = undef,
$project_additional_attribute_mapping = undef,
$role_allow_create = undef,
$role_allow_update = undef,
$role_allow_delete = undef,
$role_tree_dn = undef,
$role_filter = undef,
$role_objectclass = undef,
$role_id_attribute = undef,
$role_name_attribute = undef,
$role_member_attribute = undef,
$role_attribute_ignore = undef,
$role_additional_attribute_mapping = undef,
$user_allow_create = undef,
$user_allow_update = undef,
$user_allow_delete = undef,
@ -494,6 +494,122 @@ define keystone::ldap_backend(
got \"${domain_enabled}\" for identity/domain_specific_drivers_enabled \
and \"${domain_dir_enabled}\" for identity/domain_config_dir"
if $assignment_driver {
warning('keystone::assignment_driver is deprecated, has no effect and will be removed in a later release.')
}
if $credential_driver {
warning('keystone::credential_driver is deprecated, has no effect and will be removed in a later release.')
}
if $project_allow_create {
warning('keystone::project_allow_create is deprecated, has no effect and will be removed in a later release.')
}
if $project_allow_update {
warning('keystone::project_allow_update is deprecated, has no effect and will be removed in a later release.')
}
if $project_allow_delete {
warning('keystone::project_allow_delete is deprecated, has no effect and will be removed in a later release.')
}
if $project_tree_dn {
warning('keystone::project_tree_dn is deprecated, has no effect and will be removed in a later release.')
}
if $project_filter {
warning('keystone::project_filter is deprecated, has no effect and will be removed in a later release.')
}
if $project_objectclass {
warning('keystone::project_objectclass is deprecated, has no effect and will be removed in a later release.')
}
if $project_id_attribute {
warning('keystone::project_id_attribute is deprecated, has no effect and will be removed in a later release.')
}
if $project_member_attribute {
warning('keystone::project_member_attribute is deprecated, has no effect and will be removed in a later release.')
}
if $project_desc_attribute {
warning('keystone::project_desc_attribute is deprecated, has no effect and will be removed in a later release.')
}
if $project_name_attribute {
warning('keystone::project_name_attribute is deprecated, has no effect and will be removed in a later release.')
}
if $project_enabled_attribute {
warning('keystone::project_enabled_attribute is deprecated, has no effect and will be removed in a later release.')
}
if $project_domain_id_attribute {
warning('keystone::project_domain_id_attribute is deprecated, has no effect and will be removed in a later release.')
}
if $project_attribute_ignore {
warning('keystone::project_attribute_ignore is deprecated, has no effect and will be removed in a later release.')
}
if $project_enabled_emulation {
warning('keystone::project_enabled_emulation is deprecated, has no effect and will be removed in a later release.')
}
if $project_enabled_emulation_dn {
warning('keystone::project_enabled_emulation_dn is deprecated, has no effect and will be removed in a later release.')
}
if $project_additional_attribute_mapping {
warning('keystone::project_additional_attribute_mapping is deprecated, has no effect and will be removed in a later release.')
}
if $role_allow_create {
warning('keystone::role_allow_create is deprecated, has no effect and will be removed in a later release.')
}
if $role_allow_update {
warning('keystone::role_allow_update is deprecated, has no effect and will be removed in a later release.')
}
if $role_allow_delete {
warning('keystone::role_allow_delete is deprecated, has no effect and will be removed in a later release.')
}
if $role_tree_dn {
warning('keystone::role_tree_dn is deprecated, has no effect and will be removed in a later release.')
}
if $role_filter {
warning('keystone::role_filter is deprecated, has no effect and will be removed in a later release.')
}
if $role_objectclass {
warning('keystone::role_objectclass is deprecated, has no effect and will be removed in a later release.')
}
if $role_id_attribute {
warning('keystone::role_id_attribute is deprecated, has no effect and will be removed in a later release.')
}
if $role_name_attribute {
warning('keystone::role_name_attribute is deprecated, has no effect and will be removed in a later release.')
}
if $role_member_attribute {
warning('keystone::role_member_attribute is deprecated, has no effect and will be removed in a later release.')
}
if $role_attribute_ignore {
warning('keystone::role_attribute_ignore is deprecated, has no effect and will be removed in a later release.')
}
if $role_additional_attribute_mapping {
warning('keystone::role_additional_attribute_mapping is deprecated, has no effect and will be removed in a later release.')
}
if $user_allow_create {
warning('keystone::user_allow_create is deprecated, has no effect and will be removed in a later release.')
}
@ -570,33 +686,6 @@ and \"${domain_dir_enabled}\" for identity/domain_config_dir"
"${domain}::ldap/user_enabled_emulation": value => $user_enabled_emulation;
"${domain}::ldap/user_enabled_emulation_dn": value => $user_enabled_emulation_dn;
"${domain}::ldap/user_additional_attribute_mapping": value => $user_additional_attribute_mapping;
"${domain}::ldap/project_tree_dn": value => $project_tree_dn;
"${domain}::ldap/project_filter": value => $project_filter;
"${domain}::ldap/project_objectclass": value => $project_objectclass;
"${domain}::ldap/project_id_attribute": value => $project_id_attribute;
"${domain}::ldap/project_member_attribute": value => $project_member_attribute;
"${domain}::ldap/project_desc_attribute": value => $project_desc_attribute;
"${domain}::ldap/project_name_attribute": value => $project_name_attribute;
"${domain}::ldap/project_enabled_attribute": value => $project_enabled_attribute;
"${domain}::ldap/project_attribute_ignore": value => $project_attribute_ignore;
"${domain}::ldap/project_domain_id_attribute": value => $project_domain_id_attribute;
"${domain}::ldap/project_allow_create": value => $project_allow_create;
"${domain}::ldap/project_allow_update": value => $project_allow_update;
"${domain}::ldap/project_allow_delete": value => $project_allow_delete;
"${domain}::ldap/project_enabled_emulation": value => $project_enabled_emulation;
"${domain}::ldap/project_enabled_emulation_dn": value => $project_enabled_emulation_dn;
"${domain}::ldap/project_additional_attribute_mapping": value => $project_additional_attribute_mapping;
"${domain}::ldap/role_tree_dn": value => $role_tree_dn;
"${domain}::ldap/role_filter": value => $role_filter;
"${domain}::ldap/role_objectclass": value => $role_objectclass;
"${domain}::ldap/role_id_attribute": value => $role_id_attribute;
"${domain}::ldap/role_name_attribute": value => $role_name_attribute;
"${domain}::ldap/role_member_attribute": value => $role_member_attribute;
"${domain}::ldap/role_attribute_ignore": value => $role_attribute_ignore;
"${domain}::ldap/role_allow_create": value => $role_allow_create;
"${domain}::ldap/role_allow_update": value => $role_allow_update;
"${domain}::ldap/role_allow_delete": value => $role_allow_delete;
"${domain}::ldap/role_additional_attribute_mapping": value => $role_additional_attribute_mapping;
"${domain}::ldap/group_tree_dn": value => $group_tree_dn;
"${domain}::ldap/group_filter": value => $group_filter;
"${domain}::ldap/group_objectclass": value => $group_objectclass;
@ -623,8 +712,6 @@ and \"${domain_dir_enabled}\" for identity/domain_config_dir"
"${domain}::ldap/auth_pool_size": value => $auth_pool_size;
"${domain}::ldap/auth_pool_connection_lifetime": value => $auth_pool_connection_lifetime;
"${domain}::identity/driver": value => $identity_driver;
"${domain}::credential/driver": value => $credential_driver;
"${domain}::assignment/driver": value => $assignment_driver;
}
if $create_domain_entry {

37
releasenotes/notes/deprecate-removed-keystone-ldap-options-a5ecc19989891c75.yaml Normal file
View File

@ -0,0 +1,37 @@
---
deprecations:
- |
The following puppet variables are deprecated and staged for removal.
Keystone removed LDAP support for projects and roles in Mitaka. Even if
these options are set in keystone's configuration file, they're silently
ignored. We will remove these options in a future release:
- ``project_tree_dn``
- ``project_filter``
- ``project_objectclass``
- ``project_id_attribute``
- ``project_member_attribute``
- ``project_name_attribute``
- ``project_desc_attribute``
- ``project_enabled_attribute``
- ``project_domain_id_attribute``
- ``project_attribute_ignore``
- ``project_allow_create``
- ``project_allow_update``
- ``project_allow_delete``
- ``project_enabled_emulation``
- ``project_enabled_emulation_dn``
- ``project_additional_attribute_mapping``
- ``role_tree_dn``
- ``role_filter``
- ``role_objectclass``
- ``role_id_attribute``
- ``role_name_attribute``
- ``role_member_attribute``
- ``role_attribute_ignore``
- ``role_allow_create``
- ``role_allow_update``
- ``role_allow_delete``
- ``role_additional_attribute_map``
- ``credential_driver``
- ``assignment_driver``

58
spec/defines/keystone_ldap_backend_spec.rb
View File

@ -41,33 +41,6 @@ describe 'keystone::ldap_backend' do
:user_enabled_emulation => 'True',
:user_enabled_emulation_dn => 'cn=openstack-enabled,cn=groups,cn=accounts,dc=example,dc=com',
:user_additional_attribute_mapping => 'description:name, gecos:name',
:project_tree_dn => 'ou=projects,ou=openstack,dc=example,dc=com',
:project_filter => '',
:project_objectclass => 'organizationalUnit',
:project_id_attribute => 'ou',
:project_member_attribute => 'member',
:project_desc_attribute => 'description',
:project_name_attribute => 'ou',
:project_enabled_attribute => 'enabled',
:project_domain_id_attribute => 'businessCategory',
:project_attribute_ignore => '',
:project_allow_create => 'True',
:project_allow_update => 'True',
:project_allow_delete => 'True',
:project_enabled_emulation => 'False',
:project_enabled_emulation_dn => 'True',
:project_additional_attribute_mapping => 'cn=enabled,ou=openstack,dc=example,dc=com',
:role_tree_dn => 'ou=roles,ou=openstack,dc=example,dc=com',
:role_filter => '',
:role_objectclass => 'organizationalRole',
:role_id_attribute => 'cn',
:role_name_attribute => 'ou',
:role_member_attribute => 'roleOccupant',
:role_attribute_ignore => 'description',
:role_allow_create => 'True',
:role_allow_update => 'True',
:role_allow_delete => 'True',
:role_additional_attribute_mapping => '',
:group_tree_dn => 'ou=groups,ou=openstack,dc=example,dc=com',
:group_filter => 'cn=enabled-groups,cn=groups,cn=accounts,dc=example,dc=com',
:group_objectclass => 'organizationalRole',
@ -126,37 +99,6 @@ describe 'keystone::ldap_backend' do
is_expected.to contain_keystone_domain_config('Default::ldap/user_enabled_emulation_dn').with_value('cn=openstack-enabled,cn=groups,cn=accounts,dc=example,dc=com')
is_expected.to contain_keystone_domain_config('Default::ldap/user_additional_attribute_mapping').with_value('description:name, gecos:name')
# projects
is_expected.to contain_keystone_domain_config('Default::ldap/project_tree_dn').with_value('ou=projects,ou=openstack,dc=example,dc=com')
is_expected.to contain_keystone_domain_config('Default::ldap/project_filter').with_value('')
is_expected.to contain_keystone_domain_config('Default::ldap/project_objectclass').with_value('organizationalUnit')
is_expected.to contain_keystone_domain_config('Default::ldap/project_id_attribute').with_value('ou')
is_expected.to contain_keystone_domain_config('Default::ldap/project_member_attribute').with_value('member')
is_expected.to contain_keystone_domain_config('Default::ldap/project_desc_attribute').with_value('description')
is_expected.to contain_keystone_domain_config('Default::ldap/project_name_attribute').with_value('ou')
is_expected.to contain_keystone_domain_config('Default::ldap/project_enabled_attribute').with_value('enabled')
is_expected.to contain_keystone_domain_config('Default::ldap/project_domain_id_attribute').with_value('businessCategory')
is_expected.to contain_keystone_domain_config('Default::ldap/project_attribute_ignore').with_value('')
is_expected.to contain_keystone_domain_config('Default::ldap/project_allow_create').with_value('True')
is_expected.to contain_keystone_domain_config('Default::ldap/project_allow_update').with_value('True')
is_expected.to contain_keystone_domain_config('Default::ldap/project_allow_delete').with_value('True')
is_expected.to contain_keystone_domain_config('Default::ldap/project_enabled_emulation').with_value('False')
is_expected.to contain_keystone_domain_config('Default::ldap/project_enabled_emulation_dn').with_value('True')
is_expected.to contain_keystone_domain_config('Default::ldap/project_additional_attribute_mapping').with_value('cn=enabled,ou=openstack,dc=example,dc=com')
# roles
is_expected.to contain_keystone_domain_config('Default::ldap/role_tree_dn').with_value('ou=roles,ou=openstack,dc=example,dc=com')
is_expected.to contain_keystone_domain_config('Default::ldap/role_filter').with_value('')
is_expected.to contain_keystone_domain_config('Default::ldap/role_objectclass').with_value('organizationalRole')
is_expected.to contain_keystone_domain_config('Default::ldap/role_id_attribute').with_value('cn')
is_expected.to contain_keystone_domain_config('Default::ldap/role_name_attribute').with_value('ou')
is_expected.to contain_keystone_domain_config('Default::ldap/role_member_attribute').with_value('roleOccupant')
is_expected.to contain_keystone_domain_config('Default::ldap/role_attribute_ignore').with_value('description')
is_expected.to contain_keystone_domain_config('Default::ldap/role_allow_create').with_value('True')
is_expected.to contain_keystone_domain_config('Default::ldap/role_allow_update').with_value('True')
is_expected.to contain_keystone_domain_config('Default::ldap/role_allow_delete').with_value('True')
is_expected.to contain_keystone_domain_config('Default::ldap/role_additional_attribute_mapping').with_value('')
# groups
is_expected.to contain_keystone_domain_config('Default::ldap/group_tree_dn').with_value('ou=groups,ou=openstack,dc=example,dc=com')
is_expected.to contain_keystone_domain_config('Default::ldap/group_filter').with_value('cn=enabled-groups,cn=groups,cn=accounts,dc=example,dc=com')