Browse Source

keystone ldap plugin initial commit

 * Enable domain_specific_drivers in keystone
 * create keystone domain, specified in plugin settings
   change identity driver to ldap for this domain
 * use keystone v3 api in horizon

Change-Id: I0f1179c62d0f36dad92c4872f8e85c4a60af418b
vsaienko 3 years ago
parent
commit
80845952bb

+ 4
- 0
README.md View File

@@ -0,0 +1,4 @@
1
+ldap
2
+============
3
+
4
+Plugin description

+ 2
- 0
deployment_scripts/puppet/manifests/controller_site.pp View File

@@ -0,0 +1,2 @@
1
+$fuel_settings = parseyaml($astute_settings_yaml)
2
+class {'plugin_ldap::controller': }

+ 43
- 0
deployment_scripts/puppet/modules/plugin_ldap/lib/puppet/provider/keystone_config/ini_setting_domain.rb View File

@@ -0,0 +1,43 @@
1
+Puppet::Type.type(:keystone_config).provide(
2
+  :ini_setting_domain,
3
+  :parent => Puppet::Type.type(:ini_setting).provider(:ruby)
4
+) do
5
+
6
+  def elements
7
+    return @elements if @elements
8
+    elements = resource[:name].split('/', 3)
9
+    elements.unshift nil unless elements.length >= 3
10
+    elements[0] = nil if elements[0] =~ /default/i
11
+    @elements = {
12
+      :domain  => elements[0],
13
+      :section => elements[1],
14
+      :setting => elements[2..-1].join,
15
+    }
16
+  end
17
+
18
+  def section
19
+    elements[:section]
20
+  end
21
+
22
+  def setting
23
+    elements[:setting]
24
+  end
25
+
26
+  def domain
27
+    elements[:domain]
28
+  end
29
+
30
+  def separator
31
+    '='
32
+  end
33
+
34
+  # added for backwards compatibility with older versions of inifile
35
+  def file_path
36
+    if elements[:domain]
37
+      "/etc/keystone/domains/keystone.#{@elements[:domain]}.conf"
38
+    else
39
+      '/etc/keystone/keystone.conf'
40
+    end
41
+  end
42
+
43
+end

+ 96
- 0
deployment_scripts/puppet/modules/plugin_ldap/manifests/controller.pp View File

@@ -0,0 +1,96 @@
1
+class plugin_ldap::controller {
2
+
3
+  include ::apache::params
4
+
5
+  $management_vip             = hiera('management_vip')
6
+
7
+  ## if AD is used, in order to properly display if account is enabled or disabled
8
+  ## additional parameters need to be set.
9
+  if $::fuel_settings['ldap']['user_enabled_attribute'] == 'userAccountControl' {
10
+    $user_enabled_default = 512
11
+    $user_enabled_mask   = 2
12
+  }
13
+
14
+  $identity_driver        = 'keystone.identity.backends.ldap.Identity'
15
+  $url                    = $::fuel_settings['ldap']['url']
16
+  $suffix                 = $::fuel_settings['ldap']['suffix']
17
+  $user                   = $::fuel_settings['ldap']['user']
18
+  $password               = $::fuel_settings['ldap']['password']
19
+  $query_scope            = $::fuel_settings['ldap']['query_scope']
20
+  $user_tree_dn           = $::fuel_settings['ldap']['user_tree_dn']
21
+  $user_filter            = $::fuel_settings['ldap']['user_filter']
22
+  $user_objectclass       = $::fuel_settings['ldap']['user_objectclass']
23
+  $user_id_attribute      = $::fuel_settings['ldap']['user_id_attribute']
24
+  $user_name_attribute    = $::fuel_settings['ldap']['user_name_attribute']
25
+  $user_pass_attribute    = $::fuel_settings['ldap']['user_pass_attribute']
26
+  $user_enabled_attribute = $::fuel_settings['ldap']['user_enabled_attribute']
27
+
28
+  $user_allow_create      = false
29
+  $user_allow_update      = false
30
+  $user_allow_delete      = false
31
+
32
+  $domain                 = $::fuel_settings['ldap']['domain']
33
+
34
+  file { '/etc/keystone/domains':
35
+    ensure => 'directory',
36
+    owner  => 'keystone',
37
+    group  => 'keystone',
38
+    mode   => '755',
39
+  }
40
+
41
+  keystone_config {
42
+    "identity/domain_specific_drivers_enabled": value => 'True';
43
+  }
44
+
45
+  Keystone_config {
46
+    provider => 'ini_setting_domain',
47
+  }
48
+
49
+  keystone_config {
50
+    "${domain}/identity/driver":        value  => $identity_driver;
51
+    "${domain}/ldap/url":                    value => $url;
52
+    "${domain}/ldap/suffix":                 value => $suffix;
53
+    "${domain}/ldap/user":                   value => $user;
54
+    "${domain}/ldap/password":               value => $password;
55
+    "${domain}/ldap/query_scope":            value => $query_scope;
56
+    "${domain}/ldap/user_tree_dn":           value => $user_tree_dn;
57
+    "${domain}/ldap/user_filter":            value => $user_filter;
58
+    "${domain}/ldap/user_objectclass":       value => $user_objectclass;
59
+    "${domain}/ldap/user_id_attribute":      value => $user_id_attribute;
60
+    "${domain}/ldap/user_name_attribute":    value => $user_name_attribute;
61
+    "${domain}/ldap/user_pass_attribute":    value => $user_pass_attribute;
62
+    "${domain}/ldap/user_enabled_attribute": value => $user_enabled_attribute;
63
+    "${domain}/ldap/user_enabled_default":   value => $user_enabled_default;
64
+    "${domain}/ldap/user_enabled_mask":      value => $user_enabled_mask;
65
+    "${domain}/ldap/user_allow_create":      value => $user_allow_create;
66
+    "${domain}/ldap/user_allow_update":      value => $user_allow_update;
67
+    "${domain}/ldap/user_allow_delete":      value => $user_allow_delete;
68
+  } ~>
69
+  service { 'httpd':
70
+    name     => "$apache::params::service_name",
71
+    ensure   => running,
72
+  }
73
+
74
+  keystone_domain { "${domain}":
75
+    ensure  => present,
76
+    enabled => true,
77
+  }
78
+
79
+  file_line { 'OPENSTACK_KEYSTONE_URL':
80
+    path => '/etc/openstack-dashboard/local_settings.py',
81
+    line => "OPENSTACK_KEYSTONE_URL = \"http://${management_vip}:5000/v3/\"",
82
+    match => "^OPENSTACK_KEYSTONE_URL = .*$",
83
+  } ~> Service ['httpd']
84
+
85
+  file_line { 'OPENSTACK_API_VERSIONS':
86
+    path => '/etc/openstack-dashboard/local_settings.py',
87
+    line => "OPENSTACK_API_VERSIONS = { \"identity\": 3 }",
88
+    match => "^# OPENSTACK_API_VERSIONS = {.*$",
89
+  } ~> Service ['httpd']
90
+
91
+  file_line { 'OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT':
92
+    path => '/etc/openstack-dashboard/local_settings.py',
93
+    line => "OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True",
94
+    match => "^# OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = .*$",
95
+  } ~> Service ['httpd']
96
+}

+ 79
- 0
environment_config.yaml View File

@@ -0,0 +1,79 @@
1
+attributes:
2
+  domain:
3
+    value: ''
4
+    label: 'LDAP domain'
5
+    description: 'LDAP domain name'
6
+    weight: 20
7
+    type: "text"
8
+  url:
9
+    value: ''
10
+    label: 'LDAP URL'
11
+    description: 'URL for connecting to the LDAP server.'
12
+    weight: 25
13
+    type: "text"
14
+  suffix:
15
+    value: 'cn=example,cn=com'
16
+    label: 'LDAP Suffix'
17
+    description: 'LDAP server suffix.'
18
+    weight: 26
19
+    type: "text"
20
+  user:
21
+    value: 'cn=admin,dc=local'
22
+    label: 'LDAP User'
23
+    description: 'User BindDN to query the LDAP server.'
24
+    weight: 30
25
+    type: "text"
26
+  password:
27
+    value: ''
28
+    label: 'LDAP User Password'
29
+    description: 'Password for the BindDN to query the LDAP server.'
30
+    weight: 35
31
+    type: "password"
32
+  query_scope:
33
+    value: 'one'
34
+    label: 'LDAP Query Scope'
35
+    description: 'The LDAP scope for queries, this can be either "one" (onelevel/singleLevel) or "sub" (subtree/wholeSubtree).'
36
+    weight: 40
37
+    type: "text"
38
+  user_tree_dn:
39
+    value: 'ou=Users,dc=example,dc=com'
40
+    label: 'Users Tree DN'
41
+    description: 'Search base for users.'
42
+    weight: 45
43
+    type: "text"
44
+  user_filter:
45
+    value: ''
46
+    label: 'User Filter'
47
+    description: 'LDAP search filter for users.'
48
+    weight: 46
49
+    type: "text"
50
+  user_objectclass:
51
+    value: 'inetOrgPerson'
52
+    label: 'User Object Class'
53
+    description: 'LDAP objectclass for users.'
54
+    weight: 50
55
+    type: "text"
56
+  user_id_attribute:
57
+    value: 'cn'
58
+    label: 'User ID Attribute'
59
+    description: 'LDAP attribute mapped to user id.'
60
+    weight: 55
61
+    type: "text"
62
+  user_name_attribute:
63
+    value: 'sn'
64
+    label: 'User Name Attribute'
65
+    description: 'LDAP attribute mapped to user name.'
66
+    weight: 60
67
+    type: "text"
68
+  user_pass_attribute:
69
+    value: 'userPassword'
70
+    label: 'User Password Attribute'
71
+    description: 'LDAP attribute mapped to password.'
72
+    weight: 65
73
+    type: "text"
74
+  user_enabled_attribute:
75
+    value: 'enabled'
76
+    label: 'User Enabled/Disabled Attribute'
77
+    description: 'LDAP attribute mapped to enabled/disabled.'
78
+    weight: 66
79
+    type: "text"

+ 16
- 0
metadata.yaml View File

@@ -0,0 +1,16 @@
1
+name: ldap
2
+title: LDAP plugin for Keystone
3
+version: '1.0.0'
4
+description: Enable to use LDAP authentication backend for Keystone
5
+fuel_version: ['7.0']
6
+licenses: ['Apache License Version 2.0']
7
+authors: ['Mirantis']
8
+homepage: 'https://github.com/stackforge/fuel-plugin-ldap'
9
+groups: ['network']
10
+releases:
11
+  - os: ubuntu
12
+    version: 2015.1-7.0
13
+    mode: ['ha', 'multinode']
14
+    deployment_scripts_path: deployment_scripts/
15
+    repository_path: repositories/ubuntu
16
+package_version: '2.0.0'

+ 0
- 0
repositories/centos/.gitkeep View File


+ 0
- 0
repositories/ubuntu/.gitkeep View File


+ 7
- 0
tasks.yaml View File

@@ -0,0 +1,7 @@
1
+- role: [primary-controller, controller]
2
+  stage: post_deployment
3
+  type: puppet
4
+  parameters:
5
+    puppet_manifest: "puppet/manifests/controller_site.pp"
6
+    puppet_modules: "puppet/modules/:/etc/puppet/modules/"
7
+    timeout: 3600

Loading…
Cancel
Save