LDAP intergation
This patch adds support LDAP as authentication backend Change-Id: Ic6d04450dcdc68c41aa503370fcc347c894f0093
This commit is contained in:
parent
6024c6d218
commit
49c835ec09
|
@ -7,14 +7,16 @@ RUN apt-get install -y --no-install-recommends \
|
||||||
apache2 \
|
apache2 \
|
||||||
libapache2-mod-wsgi \
|
libapache2-mod-wsgi \
|
||||||
mysql-client \
|
mysql-client \
|
||||||
|
libldap2-dev \
|
||||||
|
libsasl2-dev \
|
||||||
&& echo > /etc/apache2/ports.conf \
|
&& echo > /etc/apache2/ports.conf \
|
||||||
&& apt-get clean
|
&& apt-get clean
|
||||||
|
|
||||||
{{ copy_sources("openstack/keystone", "/keystone") }}
|
{{ copy_sources("openstack/keystone", "/keystone") }}
|
||||||
|
|
||||||
RUN useradd --user-group keystone \
|
RUN useradd --user-group keystone \
|
||||||
&& /var/lib/microservices/venv/bin/pip install /keystone \
|
&& /var/lib/microservices/venv/bin/pip install ldappool /keystone \
|
||||||
&& mkdir -p /etc/keystone/fernet-keys /etc/keystone/credential-keys /var/www/cgi-bin/keystone /var/log/apache2 /home/keystone \
|
&& mkdir -p /etc/keystone/fernet-keys /etc/keystone/credential-keys /etc/keystone/domains /var/www/cgi-bin/keystone /var/log/apache2 /home/keystone \
|
||||||
&& cp -r /keystone/etc/* /etc/keystone/ \
|
&& cp -r /keystone/etc/* /etc/keystone/ \
|
||||||
&& cp /var/lib/microservices/venv/bin/keystone-wsgi-admin /var/www/cgi-bin/keystone/admin \
|
&& cp /var/lib/microservices/venv/bin/keystone-wsgi-admin /var/www/cgi-bin/keystone/admin \
|
||||||
&& cp /var/lib/microservices/venv/bin/keystone-wsgi-public /var/www/cgi-bin/keystone/public \
|
&& cp /var/lib/microservices/venv/bin/keystone-wsgi-public /var/www/cgi-bin/keystone/public \
|
||||||
|
|
|
@ -15,6 +15,22 @@ configs:
|
||||||
|
|
||||||
fernet_secret_name: keystone-fernet-keys
|
fernet_secret_name: keystone-fernet-keys
|
||||||
|
|
||||||
|
ldap:
|
||||||
|
enabled: false
|
||||||
|
url: ldap://changeme
|
||||||
|
user: "dc=Manager,dc=example,dc=com"
|
||||||
|
suffix: "dc=example,dc=com"
|
||||||
|
|
||||||
|
tls:
|
||||||
|
enabled: false
|
||||||
|
tls_req_cert: demand
|
||||||
|
|
||||||
|
user_tree_dn: "ou=Users,dc=example,dc=com"
|
||||||
|
user_objectclass: inetOrgPerson
|
||||||
|
|
||||||
|
group_tree_dn: "ou=Groups,dc=example,dc=com"
|
||||||
|
group_objectclass: groupOfNames
|
||||||
|
|
||||||
notifications:
|
notifications:
|
||||||
enable: false
|
enable: false
|
||||||
# format can be basic or cadf:
|
# format can be basic or cadf:
|
||||||
|
@ -33,6 +49,10 @@ secret_configs:
|
||||||
credential_key: "2jjLrgOLvI-wj7g-8058SSCw0-ZnL4Ghg5cLuBirxL8="
|
credential_key: "2jjLrgOLvI-wj7g-8058SSCw0-ZnL4Ghg5cLuBirxL8="
|
||||||
encrypt_tokens_in_memcached:
|
encrypt_tokens_in_memcached:
|
||||||
secret_key: password
|
secret_key: password
|
||||||
|
ldap:
|
||||||
|
password: changeme
|
||||||
|
tls:
|
||||||
|
cacert: null
|
||||||
|
|
||||||
openstack:
|
openstack:
|
||||||
user_password: password
|
user_password: password
|
||||||
|
|
|
@ -26,6 +26,9 @@ provider = fernet
|
||||||
[assignment]
|
[assignment]
|
||||||
driver = sql
|
driver = sql
|
||||||
|
|
||||||
|
[identity]
|
||||||
|
domain_specific_drivers_enabled = true
|
||||||
|
|
||||||
{% if keystone.notifications.enable %}
|
{% if keystone.notifications.enable %}
|
||||||
[oslo_messaging_notifications]
|
[oslo_messaging_notifications]
|
||||||
driver = messagingv2
|
driver = messagingv2
|
||||||
|
|
|
@ -0,0 +1 @@
|
||||||
|
{{ keystone.ldap.tls.cacert }}
|
|
@ -0,0 +1,18 @@
|
||||||
|
[identity]
|
||||||
|
driver = ldap
|
||||||
|
|
||||||
|
[ldap]
|
||||||
|
url = {{ keystone.ldap.url }}
|
||||||
|
user = {{ keystone.ldap.user }}
|
||||||
|
password = {{ keystone.ldap.password }}
|
||||||
|
suffix = {{ keystone.ldap.suffix }}
|
||||||
|
|
||||||
|
use_tls = {{ keystone.ldap.tls.enabled }}
|
||||||
|
tls_req_cert = {{ keystone.ldap.tls.tls_req_cert }}
|
||||||
|
tls_cacertfile = /etc/keystone/ldap_tls_cacert.pem
|
||||||
|
|
||||||
|
user_tree_dn = {{ keystone.ldap.user_tree_dn }}
|
||||||
|
user_objectclass = {{ keystone.ldap.user_objectclass }}
|
||||||
|
|
||||||
|
group_tree_dn = {{ keystone.ldap.group_tree_dn }}
|
||||||
|
group_objectclass = {{ keystone.ldap.group_objectclass }}
|
|
@ -79,6 +79,12 @@ service:
|
||||||
# {%- endif %}
|
# {%- endif %}
|
||||||
files:
|
files:
|
||||||
- keystone-conf
|
- keystone-conf
|
||||||
|
# {% if keystone.ldap.enabled %}
|
||||||
|
- keystone-ldap-conf
|
||||||
|
# {% if keystone.ldap.tls.enabled %}
|
||||||
|
- keystone-ldap-cacert
|
||||||
|
# {% endif %}
|
||||||
|
# {% endif %}
|
||||||
- wsgi-keystone-conf
|
- wsgi-keystone-conf
|
||||||
- credential-key
|
- credential-key
|
||||||
# {% if keystone.tls.enabled %}
|
# {% if keystone.tls.enabled %}
|
||||||
|
@ -99,6 +105,11 @@ service:
|
||||||
- name: keystone-create-admin-role
|
- name: keystone-create-admin-role
|
||||||
type: single
|
type: single
|
||||||
command: openstack role add {{ openstack.role_name }} --user {{ openstack.user_name }} --domain default
|
command: openstack role add {{ openstack.role_name }} --user {{ openstack.user_name }} --domain default
|
||||||
|
# {% if keystone.ldap.enabled %}
|
||||||
|
- name: keystone-create-ldap-domain
|
||||||
|
type: single
|
||||||
|
command: openstack domain create ldap
|
||||||
|
# {% endif %}
|
||||||
|
|
||||||
# {% if keystone.tls.enabled %}
|
# {% if keystone.tls.enabled %}
|
||||||
- name: nginx-keystone
|
- name: nginx-keystone
|
||||||
|
@ -116,6 +127,12 @@ files:
|
||||||
keystone-conf:
|
keystone-conf:
|
||||||
path: /etc/keystone/keystone.conf
|
path: /etc/keystone/keystone.conf
|
||||||
content: keystone.conf.j2
|
content: keystone.conf.j2
|
||||||
|
keystone-ldap-conf:
|
||||||
|
path: /etc/keystone/domains/keystone.ldap.conf
|
||||||
|
content: keystone.ldap.conf.j2
|
||||||
|
keystone-ldap-cacert:
|
||||||
|
path: /etc/keystone/ldap_tls_cacert.pem
|
||||||
|
content: keystone.ldap.cacert.j2
|
||||||
wsgi-keystone-conf:
|
wsgi-keystone-conf:
|
||||||
path: /etc/apache2/conf-enabled/wsgi-keystone.conf
|
path: /etc/apache2/conf-enabled/wsgi-keystone.conf
|
||||||
content: wsgi-keystone.conf.j2
|
content: wsgi-keystone.conf.j2
|
||||||
|
|
Loading…
Reference in New Issue