OpenStack Keystone Puppet Module
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 

67 lines
3.1 KiB

  1. # A full example from a real deployment that allows Keystone to modify
  2. # everything except users, uses enabled_emulation, and ldaps
  3. # Ensure this matches what is in LDAP or keystone will try to recreate
  4. # the admin user
  5. class { '::keystone::roles::admin':
  6. email => 'test@example.com',
  7. password => 'ChangeMe',
  8. }
  9. # You can test this connection with ldapsearch first to ensure it works.
  10. # LDAP configurations are *highly* dependent on your setup and this file
  11. # will need to be tweaked. This sample talks to ldap.example.com, here is
  12. # an example of ldapsearch that will search users on this box:
  13. # ldapsearch -v -x -H 'ldap://example.com:389' -D \
  14. # "uid=bind,cn=users,cn=accounts,dc=example,dc=com" -w SecretPass \
  15. # -b cn=users,cn=accounts,dc=example,dc=com
  16. class { '::keystone:ldap':
  17. url => 'ldap://ldap.example.com:389',
  18. user => 'uid=bind,cn=users,cn=accounts,dc=example,dc=com',
  19. password => 'SecretPass',
  20. suffix => 'dc=example,dc=com',
  21. query_scope => 'sub',
  22. user_tree_dn => 'cn=users,cn=accounts,dc=example,dc=com',
  23. user_id_attribute => 'uid',
  24. user_name_attribute => 'uid',
  25. user_mail_attribute => 'mail',
  26. user_enabled_emulation => 'True',
  27. user_enabled_emulation_dn => 'cn=openstack-enabled,cn=groups,cn=accounts,dc=example,dc=com',
  28. group_tree_dn => 'ou=groups,ou=openstack,dc=example,dc=com',
  29. group_objectclass => 'organizationalRole',
  30. group_id_attribute => 'cn',
  31. group_name_attribute => 'cn',
  32. group_member_attribute => 'RoleOccupant',
  33. group_desc_attribute => 'description',
  34. project_tree_dn => 'ou=projects,ou=openstack,dc=example,dc=com',
  35. project_objectclass => 'organizationalUnit',
  36. project_id_attribute => 'ou',
  37. project_member_attribute => 'member',
  38. project_name_attribute => 'ou',
  39. project_desc_attribute => 'description',
  40. project_allow_create => 'True',
  41. project_allow_update => 'True',
  42. project_allow_delete => 'True',
  43. project_enabled_emulation => 'True',
  44. project_enabled_emulation_dn => 'cn=enabled,ou=openstack,dc=example,dc=com',
  45. role_tree_dn => 'ou=roles,ou=openstack,dc=example,dc=com',
  46. role_objectclass => 'organizationalRole',
  47. role_id_attribute => 'cn',
  48. role_name_attribute => 'cn',
  49. role_member_attribute => 'roleOccupant',
  50. role_allow_create => 'True',
  51. role_allow_update => 'True',
  52. role_allow_delete => 'True',
  53. identity_driver => 'ldap',
  54. chase_referrals => 'False',
  55. use_tls => 'True',
  56. tls_cacertfile => '/etc/ssl/certs/ca-certificates.crt',
  57. tls_req_cert => 'demand',
  58. use_pool => 'True',
  59. use_auth_pool => 'True',
  60. pool_size => 5,
  61. auth_pool_size => 5,
  62. pool_retry_max => 3,
  63. pool_connection_timeout => 120,
  64. }