Browse Source

Add TLS support.

Now we empty CA field in UI allowed and ca_cert chacked in manifest.
Use tls_cacertdir instead of tls_cacertfile in domain config file

Change-Id: Iec690539cb18399928cf7b03444fa25d08017e87
Oleksandr Vlasov 3 years ago
parent
commit
16d3494ba9

+ 23
- 0
deployment_scripts/puppet/modules/plugin_ldap/manifests/controller.pp View File

@@ -42,6 +42,27 @@ class plugin_ldap::controller {
42 42
   $group_allow_delete     = false
43 43
 
44 44
   $domain                 = $::fuel_settings['ldap']['domain']
45
+  $use_tls                = $::fuel_settings['ldap']['use_tls']
46
+
47
+  if $use_tls {
48
+    $ca_chain       = pick($::fuel_settings['ldap']['ca_chain'], false)
49
+    $cacertfile     = '/usr/local/share/ca-certificates/cacert-ldap.crt'
50
+
51
+    $tls_cacertdir  = $ca_chain ? {
52
+      default => 'None',
53
+      true    => '/etc/ssl/certs',
54
+    }
55
+
56
+    if $ca_chain {
57
+      file { $cacertfile:
58
+        ensure  => file,
59
+        mode    => 0644,
60
+        content => $ca_chain,
61
+      }
62
+      ~>
63
+      exec { '/usr/sbin/update-ca-certificates': }
64
+    }
65
+  }
45 66
 
46 67
   file { '/etc/keystone/domains':
47 68
     ensure => 'directory',
@@ -61,6 +82,8 @@ class plugin_ldap::controller {
61 82
   keystone_config {
62 83
     "${domain}/identity/driver":        value  => $identity_driver;
63 84
     "${domain}/ldap/url":                    value => $url;
85
+    "${domain}/ldap/use_tls":                value => $use_tls;
86
+    "${domain}/ldap/tls_cacertdir":          value => $tls_cacertdir;
64 87
     "${domain}/ldap/suffix":                 value => $suffix;
65 88
     "${domain}/ldap/user":                   value => $user;
66 89
     "${domain}/ldap/password":               value => $password;

+ 18
- 0
environment_config.yaml View File

@@ -17,6 +17,24 @@ attributes:
17 17
     regex:
18 18
       source: '^ldap[si]?:\/\/([a-zA-Z0-9._-]+)(:[0-9]+)?$'
19 19
       error: "LDAP URL is not valid. Should be e.g. 'ldap://example.com'."
20
+  use_tls:
21
+    value: false
22
+    label: "Use TLS"
23
+    description: "Enable TLS for communicating with the LDAP server."
24
+    weight: 26
25
+    type: "checkbox"
26
+  ca_chain:
27
+    type: "textarea"
28
+    weight: 27
29
+    value: ''
30
+    label: "CA Chain"
31
+    description: "CA trust chain in PEM format."
32
+    restrictions:
33
+      - condition: 'settings:ldap.use_tls.value == false'
34
+        action: "disable"
35
+    regex:
36
+      source: '^(-----BEGIN CERTIFICATE-----)(.*[\r\n])+(-----END CERTIFICATE-----[\s\S]*?)$|^$'
37
+      error: "Please provide certificate in PEM format or leave this field empty"
20 38
   suffix:
21 39
     value: 'cn=example,cn=com'
22 40
     label: 'LDAP Suffix'

Loading…
Cancel
Save