When puppet runs it will try to install python-ldap and
python-ldappool. Each run will install one or the other
due to the other package settings telling the package
manager to uninstall it.
Change-Id: I13a0af479dcac45ff77685f5eccfb865f7dab0f5
Closes-Bug: #1709519
this enables the creation of the actual keystone domain if the
configuration is created (via the ldap_backend resource). This is done
with the flag create_domain_entry which is false by default.
Change-Id: Ib6c633b6a975e4b760c10a2aef3c252885b05e28
python-ldap follows/chases referrals with anonymous access but
this is disabled by default in Active Directory. There is an
argument to set this to default to disabled but for the moment
just present an option for the user to choose.
For further information see:
https://access.redhat.com/solutions/2309891
Change-Id: I83ff3186ecced663a30a028e153f9259427fa13d
Signed-off-by: Christopher Brown <snecklifter@gmail.com>
Puppet 4.6.1 has been released and we should not need this workaround
anymore.
This reverts commit 2f76f68fadd76b6d52ed7eeca19c032308419bd9.
Change-Id: Ieaf3d2a86046e178c36fc4bf5f8a69e161910902
On xenial after update from puppet-agent 1.5 to 1.6, which include an
upgrade from 4.5 to 4.6 of puppet this code stopped working.
The ensure_resource in the keystone/init.pp manifest was not evaluated.
Adding this include seems to make it work again and we see that is the
log:
```
Debug: Resource keystone_config[identity/domain_specific_drivers_enabled] was not determined to be defined
Debug: Create new resource keystone_config[identity/domain_specific_drivers_enabled] with params {"value"=>true}
```
while without the include ::keystone, it's not there.
Puppet guru needed as to the why.
Change-Id: Ief78d70b8fe114ddf40d98fab93374862d3c23cb
When using the ldap_backend define, it will set the global
keystone configuration to use that driver too. This causes
an issue where default domain might be sql for openstack
service accounts and ldap for user accounts. The class
keystone::ldap handles setting the drivers in the global
keystone config file.
Change-Id: I768c5130a6fc23ec0a0bc7686f76cc859b4c8022
Closes-Bug: 1563261
Instead of using long backend/drivers name, use short name and stevedore
will load plugins for us.
It will prevent this kind of message in logs:
Failed to load 'keystone.catalog.backends.sql.Catalog' using stevedore:
No 'keystone.catalog' driver found,
Also cleanup unit and functional tests that were setting wrong
credential & assignment drivers.
Change-Id: Id3b8ed63ef9a821eba5374af7ed0fd1c8d755e09
This enable the user to inject multiple ldap backend configurations into
keystone.
Currently the ldap configuration is modeled through a class and injected
inside keystone.conf. In a multiple domains environment, this prevents
the user to create a ldap configuration by domain.
A deprecation warning is added to the current ldap class. This class is
not using the define as doing so would automatically trigger a restart
of the keystone server. This would be unexpected by the openstack
operator and would certainly be seen as a bug. This imply a lot of code
duplication but is required to make a smooth transition.
Change-Id: I75307d4a04510d8ba1a24663b1724849ea5b48f5
