Several of the options defined in ldap_backend.pp were using duplicate
values already specified in keystone/conf/ldap.py. Instead of
duplicating the same value, we can set them to undefined and just let
the default values from keystone come through.
This commit also updates the values of use_pool and use_auth_pool to
True so they're consistent with the default values in keystone.
Co-Authored-By: Dave Wilde <dwilde@redhat.com>
Change-Id: I507d1b736dbbb147c67b9d399c033703b432b16d
Keystone removed support for writable ldap support in Ocata. We should
remove these configs from the examples and the specification so that it
doesn't give the impression the functionality is still supported. It
also cleans up the configuration a little bit.
Relevant release notes that advertize the removal:
https://docs.openstack.org/releasenotes/keystone/ocata.html#relnotes-11-0-0-origin-stable-ocata-other-notes
Change-Id: I83da28d3988960252708c60ce53fe36f34ee4204
This changes all the puppet 3 validate_* functions
to use the validate_legacy function.
The validate_legacy function has been available since
about three years but require Puppet >= 4.4.0 and since
there is Puppet 4.10.12 as latest we should assume people
are running a fairly new Puppet 4 version.
This is the first step to then remove all validate function
calls and use proper types for parameter as described in spec [1].
[1] https://review.openstack.org/#/c/568929/
Depends-On: https://review.openstack.org/#/c/639215/
Change-Id: Idd720f18893bea0ec1d26859e0a6907a5daa8980
Enable this option if the members of the group
object class are keystone user IDs rather than LDAP DNs.
This is thecase when using posixGroup as the group object
class in Open Directory.
Closes-Bug: #1805801
Change-Id: I46ec675fb959c5d1b8f9cbf300e480026e803a66
Signed-off-by: Cyril Lopez <cylopez@redhat.com>
When puppet runs it will try to install python-ldap and
python-ldappool. Each run will install one or the other
due to the other package settings telling the package
manager to uninstall it.
Change-Id: I13a0af479dcac45ff77685f5eccfb865f7dab0f5
Closes-Bug: #1709519
this enables the creation of the actual keystone domain if the
configuration is created (via the ldap_backend resource). This is done
with the flag create_domain_entry which is false by default.
Change-Id: Ib6c633b6a975e4b760c10a2aef3c252885b05e28
python-ldap follows/chases referrals with anonymous access but
this is disabled by default in Active Directory. There is an
argument to set this to default to disabled but for the moment
just present an option for the user to choose.
For further information see:
https://access.redhat.com/solutions/2309891
Change-Id: I83ff3186ecced663a30a028e153f9259427fa13d
Signed-off-by: Christopher Brown <snecklifter@gmail.com>
Removing puppet-lint warnings
in favor of upgrading to latest gem
2016-09-13 21:10:29.621198 | manifests/federation/mellon.pp:70:WARNING: line has more than 140 characters
2016-09-13 21:10:29.621299 | manifests/federation/openidc.pp:1:WARNING: line has more than 140 characters
2016-09-13 21:10:29.621338 | manifests/federation/openidc_httpd_configuration.pp:2:WARNING: line has more than 140 characters
2016-09-13 21:10:29.621371 | manifests/federation/shibboleth.pp:80:WARNING: line has more than 140 characters
2016-09-13 21:10:29.621400 | manifests/init.pp:749:WARNING: line has more than 140 characters
2016-09-13 21:10:29.621428 | manifests/init.pp:862:WARNING: line has more than 140 characters
2016-09-13 21:10:29.621456 | manifests/init.pp:869:WARNING: line has more than 140 characters
2016-09-13 21:10:29.621483 | manifests/init.pp:870:WARNING: line has more than 140 characters
2016-09-13 21:10:29.621510 | manifests/init.pp:923:WARNING: line has more than 140 characters
2016-09-13 21:10:29.621537 | manifests/init.pp:927:WARNING: line has more than 140 characters
2016-09-13 21:10:29.621564 | manifests/init.pp:931:WARNING: line has more than 140 characters
2016-09-13 21:10:29.621592 | manifests/init.pp:935:WARNING: line has more than 140 characters
2016-09-13 21:10:29.621633 | manifests/init.pp:939:WARNING: line has more than 140 characters
2016-09-13 21:10:29.621662 | manifests/init.pp:943:WARNING: line has more than 140 characters
2016-09-13 21:10:29.621689 | manifests/init.pp:1062:WARNING: line has more than 140 characters
2016-09-13 21:10:29.621717 | manifests/init.pp:1067:WARNING: line has more than 140 characters
2016-09-13 21:10:29.621742 | manifests/ldap.pp:468:ERROR: trailing whitespace found
2016-09-13 21:10:29.621771 | manifests/ldap_backend.pp:465:WARNING: line has more than 140 characters
2016-09-13 21:10:29.621800 | manifests/wsgi/apache.pp:282:WARNING: line has more than 140 characters
2016-09-13 21:10:29.621824 | tests/site.pp:24:WARNING: unquoted node name found
2016-09-13 21:10:29.621848 | tests/site.pp:43:WARNING: unquoted node name found
Change-Id: Ia308a08b002074d2393dc488a8ccc5429d675533
Puppet 4.6.1 has been released and we should not need this workaround
anymore.
This reverts commit 2f76f68fadd76b6d52ed7eeca19c032308419bd9.
Change-Id: Ieaf3d2a86046e178c36fc4bf5f8a69e161910902
On xenial after update from puppet-agent 1.5 to 1.6, which include an
upgrade from 4.5 to 4.6 of puppet this code stopped working.
The ensure_resource in the keystone/init.pp manifest was not evaluated.
Adding this include seems to make it work again and we see that is the
log:
```
Debug: Resource keystone_config[identity/domain_specific_drivers_enabled] was not determined to be defined
Debug: Create new resource keystone_config[identity/domain_specific_drivers_enabled] with params {"value"=>true}
```
while without the include ::keystone, it's not there.
Puppet guru needed as to the why.
Change-Id: Ief78d70b8fe114ddf40d98fab93374862d3c23cb
When using the ldap_backend define, it will set the global
keystone configuration to use that driver too. This causes
an issue where default domain might be sql for openstack
service accounts and ldap for user accounts. The class
keystone::ldap handles setting the drivers in the global
keystone config file.
Change-Id: I768c5130a6fc23ec0a0bc7686f76cc859b4c8022
Closes-Bug: 1563261
In some instances you may not want this module managing the LDAP
packages, so we'll wrap it with a conditional that defaults to the old
behavior.
Change-Id: Ib1b401178facf364a6a62e4ca00084c56d0ecc4d
This code moves all deps to an external class so that Keystone can be
installed with mechanisms besides packages (like venv or docker). This
also cleans-up the dependency tree by removing false or confusing
dependencies.
Change-Id: If69cd7cba267f75faad51fdbc80a58b24d2095d8
Co-Author: Clayton O'Neill <clayton.oneill@twcable.com>
Instead of using long backend/drivers name, use short name and stevedore
will load plugins for us.
It will prevent this kind of message in logs:
Failed to load 'keystone.catalog.backends.sql.Catalog' using stevedore:
No 'keystone.catalog' driver found,
Also cleanup unit and functional tests that were setting wrong
credential & assignment drivers.
Change-Id: Id3b8ed63ef9a821eba5374af7ed0fd1c8d755e09
This patch makes sure we install ldap packages before installing
Keystone (so before installing apache, and before starting apache).
It will avoid to have orchestration issues and missing ldap package when
starting apache.
Change-Id: I6b6c050da6fba56e40f7a6e30e0117e7493ab68d
Closes-Bug: #1538394
This enable the user to inject multiple ldap backend configurations into
keystone.
Currently the ldap configuration is modeled through a class and injected
inside keystone.conf. In a multiple domains environment, this prevents
the user to create a ldap configuration by domain.
A deprecation warning is added to the current ldap class. This class is
not using the define as doing so would automatically trigger a restart
of the keystone server. This would be unexpected by the openstack
operator and would certainly be seen as a bug. This imply a lot of code
duplication but is required to make a smooth transition.
Change-Id: I75307d4a04510d8ba1a24663b1724849ea5b48f5
