Browse Source

LDAP intergation

This patch adds support LDAP as authentication backend

Change-Id: Ic6d04450dcdc68c41aa503370fcc347c894f0093
changes/82/436082/3
Sergey Reshetnyak 2 years ago
parent
commit
49c835ec09

+ 4
- 2
docker/keystone/Dockerfile.j2 View File

@@ -7,14 +7,16 @@ RUN apt-get install -y --no-install-recommends \
7 7
         apache2 \
8 8
         libapache2-mod-wsgi \
9 9
         mysql-client \
10
+        libldap2-dev \
11
+        libsasl2-dev \
10 12
     && echo > /etc/apache2/ports.conf \
11 13
     && apt-get clean
12 14
 
13 15
 {{ copy_sources("openstack/keystone", "/keystone") }}
14 16
 
15 17
 RUN useradd --user-group keystone \
16
-    && /var/lib/microservices/venv/bin/pip install /keystone \
17
-    && mkdir -p /etc/keystone/fernet-keys /etc/keystone/credential-keys /var/www/cgi-bin/keystone /var/log/apache2 /home/keystone \
18
+    && /var/lib/microservices/venv/bin/pip install ldappool /keystone \
19
+    && mkdir -p /etc/keystone/fernet-keys /etc/keystone/credential-keys /etc/keystone/domains /var/www/cgi-bin/keystone /var/log/apache2 /home/keystone \
18 20
     && cp -r /keystone/etc/* /etc/keystone/ \
19 21
     && cp /var/lib/microservices/venv/bin/keystone-wsgi-admin /var/www/cgi-bin/keystone/admin \
20 22
     && cp /var/lib/microservices/venv/bin/keystone-wsgi-public /var/www/cgi-bin/keystone/public \

+ 20
- 0
service/files/defaults.yaml View File

@@ -15,6 +15,22 @@ configs:
15 15
 
16 16
     fernet_secret_name: keystone-fernet-keys
17 17
 
18
+    ldap:
19
+      enabled: false
20
+      url: ldap://changeme
21
+      user: "dc=Manager,dc=example,dc=com"
22
+      suffix: "dc=example,dc=com"
23
+
24
+      tls:
25
+        enabled: false
26
+        tls_req_cert: demand
27
+
28
+      user_tree_dn: "ou=Users,dc=example,dc=com"
29
+      user_objectclass: inetOrgPerson
30
+
31
+      group_tree_dn: "ou=Groups,dc=example,dc=com"
32
+      group_objectclass: groupOfNames
33
+
18 34
     notifications:
19 35
       enable: false
20 36
       # format can be basic or cadf:
@@ -33,6 +49,10 @@ secret_configs:
33 49
     credential_key: "2jjLrgOLvI-wj7g-8058SSCw0-ZnL4Ghg5cLuBirxL8="
34 50
     encrypt_tokens_in_memcached:
35 51
       secret_key: password
52
+    ldap:
53
+      password: changeme
54
+      tls:
55
+        cacert: null
36 56
 
37 57
   openstack:
38 58
     user_password: password

+ 3
- 0
service/files/keystone.conf.j2 View File

@@ -26,6 +26,9 @@ provider = fernet
26 26
 [assignment]
27 27
 driver = sql
28 28
 
29
+[identity]
30
+domain_specific_drivers_enabled = true
31
+
29 32
 {% if keystone.notifications.enable %}
30 33
 [oslo_messaging_notifications]
31 34
 driver = messagingv2

+ 1
- 0
service/files/keystone.ldap.cacert.j2 View File

@@ -0,0 +1 @@
1
+{{ keystone.ldap.tls.cacert }}

+ 18
- 0
service/files/keystone.ldap.conf.j2 View File

@@ -0,0 +1,18 @@
1
+[identity]
2
+driver = ldap
3
+
4
+[ldap]
5
+url = {{ keystone.ldap.url }}
6
+user = {{ keystone.ldap.user }}
7
+password = {{ keystone.ldap.password }}
8
+suffix = {{ keystone.ldap.suffix }}
9
+
10
+use_tls = {{ keystone.ldap.tls.enabled }}
11
+tls_req_cert = {{ keystone.ldap.tls.tls_req_cert }}
12
+tls_cacertfile = /etc/keystone/ldap_tls_cacert.pem
13
+
14
+user_tree_dn = {{ keystone.ldap.user_tree_dn }}
15
+user_objectclass = {{ keystone.ldap.user_objectclass }}
16
+
17
+group_tree_dn = {{ keystone.ldap.group_tree_dn }}
18
+group_objectclass = {{ keystone.ldap.group_objectclass }}

+ 17
- 0
service/keystone.yaml View File

@@ -79,6 +79,12 @@ service:
79 79
           # {%- endif %}
80 80
         files:
81 81
           - keystone-conf
82
+          # {% if keystone.ldap.enabled %}
83
+          - keystone-ldap-conf
84
+          # {% if keystone.ldap.tls.enabled %}
85
+          - keystone-ldap-cacert
86
+          # {% endif %}
87
+          # {% endif %}
82 88
           - wsgi-keystone-conf
83 89
           - credential-key
84 90
           # {% if keystone.tls.enabled %}
@@ -99,6 +105,11 @@ service:
99 105
         - name: keystone-create-admin-role
100 106
           type: single
101 107
           command: openstack role add {{ openstack.role_name }} --user {{ openstack.user_name }} --domain default
108
+        # {% if keystone.ldap.enabled %}
109
+        - name: keystone-create-ldap-domain
110
+          type: single
111
+          command: openstack domain create ldap
112
+        # {% endif %}
102 113
 
103 114
     # {% if keystone.tls.enabled %}
104 115
     - name: nginx-keystone
@@ -116,6 +127,12 @@ files:
116 127
   keystone-conf:
117 128
     path: /etc/keystone/keystone.conf
118 129
     content: keystone.conf.j2
130
+  keystone-ldap-conf:
131
+    path: /etc/keystone/domains/keystone.ldap.conf
132
+    content: keystone.ldap.conf.j2
133
+  keystone-ldap-cacert:
134
+    path: /etc/keystone/ldap_tls_cacert.pem
135
+    content: keystone.ldap.cacert.j2
119 136
   wsgi-keystone-conf:
120 137
     path: /etc/apache2/conf-enabled/wsgi-keystone.conf
121 138
     content: wsgi-keystone.conf.j2

Loading…
Cancel
Save