Add TLS support.

Now we empty CA field in UI allowed and ca_cert chacked in manifest. Use tls_cacertdir instead of tls_cacertfile in domain config file Change-Id: Iec690539cb18399928cf7b03444fa25d08017e87
2016-02-18 11:10:55 +02:00 · 2016-02-18 11:10:55 +02:00 · 16d3494ba9
parent 825c658be9
commit 16d3494ba9
2 changed files with 41 additions and 0 deletions
--- a/deployment_scripts/puppet/modules/plugin_ldap/manifests/controller.pp
+++ b/deployment_scripts/puppet/modules/plugin_ldap/manifests/controller.pp
@ -42,6 +42,27 @@ class plugin_ldap::controller {
  $group_allow_delete     = false

  $domain                 = $::fuel_settings['ldap']['domain']
+  $use_tls                = $::fuel_settings['ldap']['use_tls']
+
+  if $use_tls {
+    $ca_chain       = pick($::fuel_settings['ldap']['ca_chain'], false)
+    $cacertfile     = '/usr/local/share/ca-certificates/cacert-ldap.crt'
+
+    $tls_cacertdir  = $ca_chain ? {
+      default => 'None',
+      true    => '/etc/ssl/certs',
+    }
+
+    if $ca_chain {
+      file { $cacertfile:
+        ensure  => file,
+        mode    => 0644,
+        content => $ca_chain,
+      }
+      ~>
+      exec { '/usr/sbin/update-ca-certificates': }
+    }
+  }

  file { '/etc/keystone/domains':
    ensure => 'directory',
@ -61,6 +82,8 @@ class plugin_ldap::controller {
  keystone_config {
    "${domain}/identity/driver":        value  => $identity_driver;
    "${domain}/ldap/url":                    value => $url;
+    "${domain}/ldap/use_tls":                value => $use_tls;
+    "${domain}/ldap/tls_cacertdir":          value => $tls_cacertdir;
    "${domain}/ldap/suffix":                 value => $suffix;
    "${domain}/ldap/user":                   value => $user;
    "${domain}/ldap/password":               value => $password;
--- a/environment_config.yaml
+++ b/environment_config.yaml
@ -17,6 +17,24 @@ attributes:
    regex:
      source: '^ldap[si]?:\/\/([a-zA-Z0-9._-]+)(:[0-9]+)?$'
      error: "LDAP URL is not valid. Should be e.g. 'ldap://example.com'."
+  use_tls:
+    value: false
+    label: "Use TLS"
+    description: "Enable TLS for communicating with the LDAP server."
+    weight: 26
+    type: "checkbox"
+  ca_chain:
+    type: "textarea"
+    weight: 27
+    value: ''
+    label: "CA Chain"
+    description: "CA trust chain in PEM format."
+    restrictions:
+      - condition: 'settings:ldap.use_tls.value == false'
+        action: "disable"
+    regex:
+      source: '^(-----BEGIN CERTIFICATE-----)(.*[\r\n])+(-----END CERTIFICATE-----[\s\S]*?)$|^$'
+      error: "Please provide certificate in PEM format or leave this field empty"
  suffix:
    value: 'cn=example,cn=com'
    label: 'LDAP Suffix'