Fuel plugin which allows to use LDAP as an authentication backend
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

controller.pp 6.7KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175
  1. class plugin_ldap::controller {
  2. include ::apache::params
  3. $management_vip = hiera('management_vip')
  4. ## if AD is used, in order to properly display if account is enabled or disabled
  5. ## additional parameters should be set.
  6. if $::fuel_settings['ldap']['user_enabled_attribute'] == 'userAccountControl' {
  7. $user_enabled_default = 512
  8. $user_enabled_mask = 2
  9. }
  10. $identity_driver = 'keystone.identity.backends.ldap.Identity'
  11. $ldap_url = $::fuel_settings['ldap']['url']
  12. $suffix = $::fuel_settings['ldap']['suffix']
  13. $user = $::fuel_settings['ldap']['user']
  14. $password = $::fuel_settings['ldap']['password']
  15. $query_scope = $::fuel_settings['ldap']['query_scope']
  16. $user_tree_dn = $::fuel_settings['ldap']['user_tree_dn']
  17. $user_filter = $::fuel_settings['ldap']['user_filter']
  18. $user_objectclass = $::fuel_settings['ldap']['user_objectclass']
  19. $user_id_attribute = $::fuel_settings['ldap']['user_id_attribute']
  20. $user_name_attribute = $::fuel_settings['ldap']['user_name_attribute']
  21. $user_pass_attribute = $::fuel_settings['ldap']['user_pass_attribute']
  22. $user_enabled_attribute = $::fuel_settings['ldap']['user_enabled_attribute']
  23. $additional_domains = $::fuel_settings['ldap']['additional_domains']
  24. $ldap_proxy_custom_conf = $::fuel_settings['ldap']['ldap_proxy_custom_conf']
  25. $ldap_proxy = $::fuel_settings['ldap']['ldap_proxy']
  26. $user_allow_create = false
  27. $user_allow_update = false
  28. $user_allow_delete = false
  29. $group_tree_dn = $::fuel_settings['ldap']['group_tree_dn']
  30. $group_filter = $::fuel_settings['ldap']['group_filter']
  31. $group_objectclass = $::fuel_settings['ldap']['group_objectclass']
  32. $group_id_attribute = $::fuel_settings['ldap']['group_id_attribute']
  33. $group_name_attribute = $::fuel_settings['ldap']['group_name_attribute']
  34. $group_member_attribute = $::fuel_settings['ldap']['group_member_attribute']
  35. $group_desc_attribute = $::fuel_settings['ldap']['group_desc_attribute']
  36. $group_allow_create = false
  37. $group_allow_update = false
  38. $group_allow_delete = false
  39. $page_size = $::fuel_settings['ldap']['page_size']
  40. $chase_referrals = pick($::fuel_settings['ldap']['chase_referrals'],'False')
  41. $domain = $::fuel_settings['ldap']['domain']
  42. $use_tls = $::fuel_settings['ldap']['use_tls']
  43. $ca_chain = pick($::fuel_settings['ldap']['ca_chain'], false)
  44. ###############################################################################
  45. #Install ldap_proxy and generate slapd.conf file
  46. if $ldap_proxy {
  47. $url = "ldap://${management_vip}"
  48. $proxy_data = proxy_config_parser($additional_domains, $ldap_proxy_custom_conf, $domain)
  49. class {'plugin_ldap::ldap_proxy_install':
  50. slapd_custom_config => $proxy_data[0],
  51. slapd_config_template => $proxy_data[1],
  52. domain_name => $domain,
  53. use_tls => $use_tls,
  54. }
  55. class {'plugin_ldap::ldap_proxy_init':
  56. internal_virtual_ip => $management_vip,
  57. }
  58. Class['plugin_ldap::ldap_proxy_install'] -> Plugin_ldap::Keystone<||> -> Class['plugin_ldap::ldap_proxy_init']
  59. Service['httpd'] -> Class['plugin_ldap::ldap_proxy_init']
  60. if $use_tls {
  61. plugin_ldap::tls { "${domain}_tls_certificate" :
  62. domain_tls => $domain,
  63. ca_chain => $ca_chain,
  64. }
  65. }
  66. $tls = false
  67. } else {
  68. $url = $::fuel_settings['ldap']['url']
  69. $proxy_data = []
  70. $tls = $use_tls
  71. }
  72. #Create domains using info from text area 'List of additional Domains'
  73. if $additional_domains {
  74. $domains_list = split($additional_domains, '^$')
  75. plugin_ldap::multiple_domain { $domains_list:
  76. identity_driver => $identity_driver,
  77. ldap_proxy => $ldap_proxy,
  78. management_vip => $management_vip,
  79. slapd_config_template => $proxy_data[1],
  80. }
  81. }
  82. file { '/etc/keystone/domains':
  83. ensure => 'directory',
  84. owner => 'keystone',
  85. group => 'keystone',
  86. mode => '755',
  87. }
  88. keystone_config {
  89. "identity/domain_specific_drivers_enabled": value => 'True';
  90. }
  91. plugin_ldap::keystone { $domain:
  92. identity_driver => $identity_driver,
  93. url => $url,
  94. use_tls => $tls,
  95. ca_chain => $ca_chain,
  96. suffix => $suffix,
  97. user => $user,
  98. password => $password,
  99. query_scope => $query_scope,
  100. user_tree_dn => $user_tree_dn,
  101. user_filter => $user_filter,
  102. user_objectclass => $user_objectclass,
  103. user_id_attribute => $user_id_attribute,
  104. user_name_attribute => $user_name_attribute,
  105. user_pass_attribute => $user_pass_attribute,
  106. user_enabled_attribute => $user_enabled_attribute,
  107. user_enabled_default => $user_enabled_default,
  108. user_enabled_mask => $user_enabled_mask,
  109. user_allow_create => $user_allow_create,
  110. user_allow_update => $user_allow_update,
  111. user_allow_delete => $user_allow_delete,
  112. group_tree_dn => $group_tree_dn,
  113. group_filter => $group_filter,
  114. group_objectclass => $group_objectclass,
  115. group_id_attribute => $group_id_attribute,
  116. group_name_attribute => $group_name_attribute,
  117. group_member_attribute => $group_member_attribute,
  118. group_desc_attribute => $group_desc_attribute,
  119. group_allow_create => $group_allow_create,
  120. group_allow_update => $group_allow_update,
  121. group_allow_delete => $group_allow_delete,
  122. page_size => $page_size,
  123. chase_referrals => $chase_referrals,
  124. }
  125. service { 'httpd':
  126. name => $apache::params::service_name,
  127. ensure => running,
  128. }
  129. file_line { 'OPENSTACK_KEYSTONE_URL':
  130. path => '/etc/openstack-dashboard/local_settings.py',
  131. line => "OPENSTACK_KEYSTONE_URL = \"http://${management_vip}:5000/v3/\"",
  132. match => "^OPENSTACK_KEYSTONE_URL = .*$",
  133. tag => 'ldap-horizon',
  134. }
  135. file_line { 'OPENSTACK_API_VERSIONS':
  136. path => '/etc/openstack-dashboard/local_settings.py',
  137. line => "OPENSTACK_API_VERSIONS = { \"identity\": 3 }",
  138. match => "^# OPENSTACK_API_VERSIONS = {.*$",
  139. tag => 'ldap-horizon',
  140. }
  141. file_line { 'OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT':
  142. path => '/etc/openstack-dashboard/local_settings.py',
  143. line => "OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True",
  144. match => "^# OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = .*$",
  145. tag => 'ldap-horizon',
  146. }
  147. File_line<| tag == 'ldap-horizon'|> ~> Service['httpd']
  148. Keystone_config <||> ~> Service['httpd']
  149. Plugin_ldap::Tls<||> ~> Service['httpd']
  150. }