Add TLS support.
Now we empty CA field in UI allowed and ca_cert chacked in manifest. Use tls_cacertdir instead of tls_cacertfile in domain config file Change-Id: Iec690539cb18399928cf7b03444fa25d08017e87
This commit is contained in:
parent
825c658be9
commit
16d3494ba9
|
@ -42,6 +42,27 @@ class plugin_ldap::controller {
|
|||
$group_allow_delete = false
|
||||
|
||||
$domain = $::fuel_settings['ldap']['domain']
|
||||
$use_tls = $::fuel_settings['ldap']['use_tls']
|
||||
|
||||
if $use_tls {
|
||||
$ca_chain = pick($::fuel_settings['ldap']['ca_chain'], false)
|
||||
$cacertfile = '/usr/local/share/ca-certificates/cacert-ldap.crt'
|
||||
|
||||
$tls_cacertdir = $ca_chain ? {
|
||||
default => 'None',
|
||||
true => '/etc/ssl/certs',
|
||||
}
|
||||
|
||||
if $ca_chain {
|
||||
file { $cacertfile:
|
||||
ensure => file,
|
||||
mode => 0644,
|
||||
content => $ca_chain,
|
||||
}
|
||||
~>
|
||||
exec { '/usr/sbin/update-ca-certificates': }
|
||||
}
|
||||
}
|
||||
|
||||
file { '/etc/keystone/domains':
|
||||
ensure => 'directory',
|
||||
|
@ -61,6 +82,8 @@ class plugin_ldap::controller {
|
|||
keystone_config {
|
||||
"${domain}/identity/driver": value => $identity_driver;
|
||||
"${domain}/ldap/url": value => $url;
|
||||
"${domain}/ldap/use_tls": value => $use_tls;
|
||||
"${domain}/ldap/tls_cacertdir": value => $tls_cacertdir;
|
||||
"${domain}/ldap/suffix": value => $suffix;
|
||||
"${domain}/ldap/user": value => $user;
|
||||
"${domain}/ldap/password": value => $password;
|
||||
|
|
|
@ -17,6 +17,24 @@ attributes:
|
|||
regex:
|
||||
source: '^ldap[si]?:\/\/([a-zA-Z0-9._-]+)(:[0-9]+)?$'
|
||||
error: "LDAP URL is not valid. Should be e.g. 'ldap://example.com'."
|
||||
use_tls:
|
||||
value: false
|
||||
label: "Use TLS"
|
||||
description: "Enable TLS for communicating with the LDAP server."
|
||||
weight: 26
|
||||
type: "checkbox"
|
||||
ca_chain:
|
||||
type: "textarea"
|
||||
weight: 27
|
||||
value: ''
|
||||
label: "CA Chain"
|
||||
description: "CA trust chain in PEM format."
|
||||
restrictions:
|
||||
- condition: 'settings:ldap.use_tls.value == false'
|
||||
action: "disable"
|
||||
regex:
|
||||
source: '^(-----BEGIN CERTIFICATE-----)(.*[\r\n])+(-----END CERTIFICATE-----[\s\S]*?)$|^$'
|
||||
error: "Please provide certificate in PEM format or leave this field empty"
|
||||
suffix:
|
||||
value: 'cn=example,cn=com'
|
||||
label: 'LDAP Suffix'
|
||||
|
|
Loading…
Reference in New Issue