6fd675a2fe
Adding full support for integrating Keystone via LDAP. Enables support for managing all LDAP related Keystone options. - Add two examples of LDAP configuration, although LDAP environments are highly variable, these will help get everyone started - Modify the keystone::ldap class to support all LDAP related options - Check sane defaults in the keystone::ldap class to hopefully reduce mistakes - Add a dependency on the python-ldap package - Modify the LDAP test to match the new class - Make the default-tenant optional since some LDAP backends do not support this Change-Id: Ie6879eb4816fd2b906f72cac8deb3b62bd4b2430
29 lines
1.1 KiB
Puppet
29 lines
1.1 KiB
Puppet
# Example using LDAP to manage user identity only.
|
|
# This setup will not allow changes to users.
|
|
|
|
# Ensure this matches what is in LDAP or keystone will try to recreate
|
|
# the admin user
|
|
class { 'keystone::roles::admin':
|
|
email => 'test@example.com',
|
|
password => 'ChangeMe',
|
|
}
|
|
|
|
# You can test this connection with ldapsearch first to ensure it works.
|
|
# This was tested against a FreeIPA box, you will likely need to change the
|
|
# attributes to match your configuration.
|
|
class { 'keystone:ldap':
|
|
identity_driver => 'keystone.identity.backends.ldap.Identity',
|
|
url => 'ldap://ldap.example.com:389',
|
|
user => 'uid=bind,cn=users,cn=accounts,dc=example,dc=com',
|
|
password => 'SecretPass',
|
|
suffix => 'dc=example,dc=com',
|
|
query_scope => 'sub',
|
|
user_tree_dn => 'cn=users,cn=accounts,dc=example,dc=com',
|
|
user_id_attribute => 'uid',
|
|
user_name_attribute => 'uid',
|
|
user_mail_attribute => 'mail',
|
|
user_allow_create => 'False',
|
|
user_allow_update => 'False',
|
|
user_allow_delete => 'False'
|
|
}
|