x/python-ganttclient
Code Issues Proposed changes

Simplifies and improves ldap schema.

Browse Source
This commit is contained in:
Ryan Lane
2010-12-23 17:46:59 +00:00
committed by Tarmac
parent e17eb8bf71 75156b025e
commit c95a4af38f
6 changed files with 105 additions and 122 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
nova/auth/fakeldap.py
View File

@@ -150,6 +150,9 @@ def _match(key, value, attrs):
"""Match a given key and value against an attribute list.""" """Match a given key and value against an attribute list."""
if key not in attrs: if key not in attrs:
return False return False
# This is a wild card search. Implemented as all or nothing for now.
if value == "*":
return True
if key != "objectclass": if key != "objectclass":
return value in attrs[key] return value in attrs[key]
# it is an objectclass check, so check subclasses # it is an objectclass check, so check subclasses

139
nova/auth/ldapdriver.py
View File

@@ -32,11 +32,16 @@ from nova import flags
FLAGS = flags.FLAGS FLAGS = flags.FLAGS
flags.DEFINE_integer('ldap_schema_version', 2,
'Current version of the LDAP schema')
flags.DEFINE_string('ldap_url', 'ldap://localhost', flags.DEFINE_string('ldap_url', 'ldap://localhost',
'Point this at your ldap server') 'Point this at your ldap server')
flags.DEFINE_string('ldap_password', 'changeme', 'LDAP password') flags.DEFINE_string('ldap_password', 'changeme', 'LDAP password')
flags.DEFINE_string('ldap_user_dn', 'cn=Manager,dc=example,dc=com', flags.DEFINE_string('ldap_user_dn', 'cn=Manager,dc=example,dc=com',
'DN of admin user') 'DN of admin user')
flags.DEFINE_string('ldap_user_id_attribute', 'uid', 'Attribute to use as id')
flags.DEFINE_string('ldap_user_name_attribute', 'cn',
'Attribute to use as name')
flags.DEFINE_string('ldap_user_unit', 'Users', 'OID for Users') flags.DEFINE_string('ldap_user_unit', 'Users', 'OID for Users')
flags.DEFINE_string('ldap_user_subtree', 'ou=Users,dc=example,dc=com', flags.DEFINE_string('ldap_user_subtree', 'ou=Users,dc=example,dc=com',
'OU for Users') 'OU for Users')
@@ -73,10 +78,20 @@ class LdapDriver(object):
Defines enter and exit and therefore supports the with/as syntax. Defines enter and exit and therefore supports the with/as syntax.
""" """
project_pattern = '(owner=*)'
isadmin_attribute = 'isNovaAdmin'
project_attribute = 'owner'
project_objectclass = 'groupOfNames'
def __init__(self): def __init__(self):
"""Imports the LDAP module""" """Imports the LDAP module"""
self.ldap = __import__('ldap') self.ldap = __import__('ldap')
self.conn = None self.conn = None
if FLAGS.ldap_schema_version == 1:
LdapDriver.project_pattern = '(objectclass=novaProject)'
LdapDriver.isadmin_attribute = 'isAdmin'
LdapDriver.project_attribute = 'projectManager'
LdapDriver.project_objectclass = 'novaProject'
def __enter__(self): def __enter__(self):
"""Creates the connection to LDAP""" """Creates the connection to LDAP"""
@@ -104,7 +119,7 @@ class LdapDriver(object):
"""Retrieve project by id""" """Retrieve project by id"""
dn = 'cn=%s,%s' % (pid, dn = 'cn=%s,%s' % (pid,
FLAGS.ldap_project_subtree) FLAGS.ldap_project_subtree)
attr = self.__find_object(dn, '(objectclass=novaProject)') attr = self.__find_object(dn, LdapDriver.project_pattern)
return self.__to_project(attr) return self.__to_project(attr)
def get_users(self): def get_users(self):
@@ -120,7 +135,7 @@ class LdapDriver(object):
def get_projects(self, uid=None): def get_projects(self, uid=None):
"""Retrieve list of projects""" """Retrieve list of projects"""
pattern = '(objectclass=novaProject)' pattern = LdapDriver.project_pattern
if uid: if uid:
pattern = "(&%s(member=%s))" % (pattern, self.__uid_to_dn(uid)) pattern = "(&%s(member=%s))" % (pattern, self.__uid_to_dn(uid))
attrs = self.__find_objects(FLAGS.ldap_project_subtree, attrs = self.__find_objects(FLAGS.ldap_project_subtree,
@@ -139,22 +154,24 @@ class LdapDriver(object):
# Malformed entries are useless, replace attributes found. # Malformed entries are useless, replace attributes found.
attr = [] attr = []
if 'secretKey' in user.keys(): if 'secretKey' in user.keys():
attr.append((self.ldap.MOD_REPLACE, 'secretKey', \ attr.append((self.ldap.MOD_REPLACE, 'secretKey',
[secret_key])) [secret_key]))
else: else:
attr.append((self.ldap.MOD_ADD, 'secretKey', \ attr.append((self.ldap.MOD_ADD, 'secretKey',
[secret_key])) [secret_key]))
if 'accessKey' in user.keys(): if 'accessKey' in user.keys():
attr.append((self.ldap.MOD_REPLACE, 'accessKey', \ attr.append((self.ldap.MOD_REPLACE, 'accessKey',
[access_key])) [access_key]))
else: else:
attr.append((self.ldap.MOD_ADD, 'accessKey', \ attr.append((self.ldap.MOD_ADD, 'accessKey',
[access_key])) [access_key]))
if 'isAdmin' in user.keys(): if LdapDriver.isadmin_attribute in user.keys():
attr.append((self.ldap.MOD_REPLACE, 'isAdmin', \ attr.append((self.ldap.MOD_REPLACE,
LdapDriver.isadmin_attribute,
[str(is_admin).upper()])) [str(is_admin).upper()]))
else: else:
attr.append((self.ldap.MOD_ADD, 'isAdmin', \ attr.append((self.ldap.MOD_ADD,
LdapDriver.isadmin_attribute,
[str(is_admin).upper()])) [str(is_admin).upper()]))
self.conn.modify_s(self.__uid_to_dn(name), attr) self.conn.modify_s(self.__uid_to_dn(name), attr)
return self.get_user(name) return self.get_user(name)
@@ -168,12 +185,12 @@ class LdapDriver(object):
'inetOrgPerson', 'inetOrgPerson',
'novaUser']), 'novaUser']),
('ou', [FLAGS.ldap_user_unit]), ('ou', [FLAGS.ldap_user_unit]),
('uid', [name]), (FLAGS.ldap_user_id_attribute, [name]),
('sn', [name]), ('sn', [name]),
('cn', [name]), (FLAGS.ldap_user_name_attribute, [name]),
('secretKey', [secret_key]), ('secretKey', [secret_key]),
('accessKey', [access_key]), ('accessKey', [access_key]),
('isAdmin', [str(is_admin).upper()]), (LdapDriver.isadmin_attribute, [str(is_admin).upper()]),
] ]
self.conn.add_s(self.__uid_to_dn(name), attr) self.conn.add_s(self.__uid_to_dn(name), attr)
return self.__to_user(dict(attr)) return self.__to_user(dict(attr))
@@ -204,10 +221,10 @@ class LdapDriver(object):
if not manager_dn in members: if not manager_dn in members:
members.append(manager_dn) members.append(manager_dn)
attr = [ attr = [
('objectclass', ['novaProject']), ('objectclass', [LdapDriver.project_objectclass]),
('cn', [name]), ('cn', [name]),
('description', [description]), ('description', [description]),
('projectManager', [manager_dn]), (LdapDriver.project_attribute, [manager_dn]),
('member', members)] ('member', members)]
self.conn.add_s('cn=%s,%s' % (name, FLAGS.ldap_project_subtree), attr) self.conn.add_s('cn=%s,%s' % (name, FLAGS.ldap_project_subtree), attr)
return self.__to_project(dict(attr)) return self.__to_project(dict(attr))
@@ -223,7 +240,8 @@ class LdapDriver(object):
"manager %s doesn't exist") "manager %s doesn't exist")
% manager_uid) % manager_uid)
manager_dn = self.__uid_to_dn(manager_uid) manager_dn = self.__uid_to_dn(manager_uid)
attr.append((self.ldap.MOD_REPLACE, 'projectManager', manager_dn)) attr.append((self.ldap.MOD_REPLACE, LdapDriver.project_attribute,
manager_dn))
if description: if description:
attr.append((self.ldap.MOD_REPLACE, 'description', description)) attr.append((self.ldap.MOD_REPLACE, 'description', description))
self.conn.modify_s('cn=%s,%s' % (project_id, self.conn.modify_s('cn=%s,%s' % (project_id,
@@ -283,10 +301,9 @@ class LdapDriver(object):
return roles return roles
else: else:
project_dn = 'cn=%s,%s' % (project_id, FLAGS.ldap_project_subtree) project_dn = 'cn=%s,%s' % (project_id, FLAGS.ldap_project_subtree)
roles = self.__find_objects(project_dn, query = ('(&(&(objectclass=groupOfNames)(!%s))(member=%s))' %
'(&(&(objectclass=groupOfNames)' (LdapDriver.project_pattern, self.__uid_to_dn(uid)))
'(!(objectclass=novaProject)))' roles = self.__find_objects(project_dn, query)
'(member=%s))' % self.__uid_to_dn(uid))
return [role['cn'][0] for role in roles] return [role['cn'][0] for role in roles]
def delete_user(self, uid): def delete_user(self, uid):
@@ -300,14 +317,15 @@ class LdapDriver(object):
# Retrieve user by name # Retrieve user by name
user = self.__get_ldap_user(uid) user = self.__get_ldap_user(uid)
if 'secretKey' in user.keys(): if 'secretKey' in user.keys():
attr.append((self.ldap.MOD_DELETE, 'secretKey', \ attr.append((self.ldap.MOD_DELETE, 'secretKey',
user['secretKey'])) user['secretKey']))
if 'accessKey' in user.keys(): if 'accessKey' in user.keys():
attr.append((self.ldap.MOD_DELETE, 'accessKey', \ attr.append((self.ldap.MOD_DELETE, 'accessKey',
user['accessKey'])) user['accessKey']))
if 'isAdmin' in user.keys(): if LdapDriver.isadmin_attribute in user.keys():
attr.append((self.ldap.MOD_DELETE, 'isAdmin', \ attr.append((self.ldap.MOD_DELETE,
user['isAdmin'])) LdapDriver.isadmin_attribute,
user[LdapDriver.isadmin_attribute]))
self.conn.modify_s(self.__uid_to_dn(uid), attr) self.conn.modify_s(self.__uid_to_dn(uid), attr)
else: else:
# Delete entry # Delete entry
@@ -329,7 +347,8 @@ class LdapDriver(object):
if secret_key: if secret_key:
attr.append((self.ldap.MOD_REPLACE, 'secretKey', secret_key)) attr.append((self.ldap.MOD_REPLACE, 'secretKey', secret_key))
if admin is not None: if admin is not None:
attr.append((self.ldap.MOD_REPLACE, 'isAdmin', str(admin).upper())) attr.append((self.ldap.MOD_REPLACE, LdapDriver.isadmin_attribute,
str(admin).upper()))
self.conn.modify_s(self.__uid_to_dn(uid), attr) self.conn.modify_s(self.__uid_to_dn(uid), attr)
def __user_exists(self, uid): def __user_exists(self, uid):
@@ -383,19 +402,21 @@ class LdapDriver(object):
def __find_role_dns(self, tree): def __find_role_dns(self, tree):
"""Find dns of role objects in given tree""" """Find dns of role objects in given tree"""
return self.__find_dns(tree, query = ('(&(objectclass=groupOfNames)(!%s))' %
'(&(objectclass=groupOfNames)(!(objectclass=novaProject)))') LdapDriver.project_pattern)
return self.__find_dns(tree, query)
def __find_group_dns_with_member(self, tree, uid): def __find_group_dns_with_member(self, tree, uid):
"""Find dns of group objects in a given tree that contain member""" """Find dns of group objects in a given tree that contain member"""
dns = self.__find_dns(tree, query = ('(&(objectclass=groupOfNames)(member=%s))' %
'(&(objectclass=groupOfNames)(member=%s))' %
self.__uid_to_dn(uid)) self.__uid_to_dn(uid))
dns = self.__find_dns(tree, query)
return dns return dns
def __group_exists(self, dn): def __group_exists(self, dn):
"""Check if group exists""" """Check if group exists"""
return self.__find_object(dn, '(objectclass=groupOfNames)') is not None query = '(objectclass=groupOfNames)'
return self.__find_object(dn, query) is not None
@staticmethod @staticmethod
def __role_to_dn(role, project_id=None): def __role_to_dn(role, project_id=None):
@@ -417,9 +438,9 @@ class LdapDriver(object):
if member_uids is not None: if member_uids is not None:
for member_uid in member_uids: for member_uid in member_uids:
if not self.__user_exists(member_uid): if not self.__user_exists(member_uid):
raise exception.NotFound(_("Group can't be created " raise exception.NotFound("Group can't be created "
"because user %s doesn't exist") "because user %s doesn't exist" %
% member_uid) member_uid)
members.append(self.__uid_to_dn(member_uid)) members.append(self.__uid_to_dn(member_uid))
dn = self.__uid_to_dn(uid) dn = self.__uid_to_dn(uid)
if not dn in members: if not dn in members:
@@ -434,9 +455,8 @@ class LdapDriver(object):
def __is_in_group(self, uid, group_dn): def __is_in_group(self, uid, group_dn):
"""Check if user is in group""" """Check if user is in group"""
if not self.__user_exists(uid): if not self.__user_exists(uid):
raise exception.NotFound(_("User %s can't be searched in group " raise exception.NotFound("User %s can't be searched in group "
"because the user doesn't exist") "because the user doesn't exist" % uid)
% uid)
if not self.__group_exists(group_dn): if not self.__group_exists(group_dn):
return False return False
res = self.__find_object(group_dn, res = self.__find_object(group_dn,
@@ -447,12 +467,11 @@ class LdapDriver(object):
def __add_to_group(self, uid, group_dn): def __add_to_group(self, uid, group_dn):
"""Add user to group""" """Add user to group"""
if not self.__user_exists(uid): if not self.__user_exists(uid):
raise exception.NotFound(_("User %s can't be added to the group " raise exception.NotFound("User %s can't be added to the group "
"because the user doesn't exist") "because the user doesn't exist" % uid)
% uid)
if not self.__group_exists(group_dn): if not self.__group_exists(group_dn):
raise exception.NotFound(_("The group at dn %s doesn't exist") raise exception.NotFound("The group at dn %s doesn't exist" %
% group_dn) group_dn)
if self.__is_in_group(uid, group_dn): if self.__is_in_group(uid, group_dn):
raise exception.Duplicate(_("User %s is already a member of " raise exception.Duplicate(_("User %s is already a member of "
"the group %s") % (uid, group_dn)) "the group %s") % (uid, group_dn))
@@ -462,18 +481,17 @@ class LdapDriver(object):
def __remove_from_group(self, uid, group_dn): def __remove_from_group(self, uid, group_dn):
"""Remove user from group""" """Remove user from group"""
if not self.__group_exists(group_dn): if not self.__group_exists(group_dn):
raise exception.NotFound(_("The group at dn %s doesn't exist") raise exception.NotFound("The group at dn %s doesn't exist" %
% group_dn) group_dn)
if not self.__user_exists(uid): if not self.__user_exists(uid):
raise exception.NotFound(_("User %s can't be removed from the " raise exception.NotFound("User %s can't be removed from the "
"group because the user doesn't exist") "group because the user doesn't exist" %
% uid) uid)
if not self.__is_in_group(uid, group_dn): if not self.__is_in_group(uid, group_dn):
raise exception.NotFound(_("User %s is not a member of the group") raise exception.NotFound("User %s is not a member of the group" %
% uid) uid)
# NOTE(vish): remove user from group and any sub_groups # NOTE(vish): remove user from group and any sub_groups
sub_dns = self.__find_group_dns_with_member( sub_dns = self.__find_group_dns_with_member(group_dn, uid)
group_dn, uid)
for sub_dn in sub_dns: for sub_dn in sub_dns:
self.__safe_remove_from_group(uid, sub_dn) self.__safe_remove_from_group(uid, sub_dn)
@@ -491,9 +509,8 @@ class LdapDriver(object):
def __remove_from_all(self, uid): def __remove_from_all(self, uid):
"""Remove user from all roles and projects""" """Remove user from all roles and projects"""
if not self.__user_exists(uid): if not self.__user_exists(uid):
raise exception.NotFound(_("User %s can't be removed from all " raise exception.NotFound("User %s can't be removed from all "
"because the user doesn't exist") "because the user doesn't exist" % uid)
% uid)
role_dns = self.__find_group_dns_with_member( role_dns = self.__find_group_dns_with_member(
FLAGS.role_project_subtree, uid) FLAGS.role_project_subtree, uid)
for role_dn in role_dns: for role_dn in role_dns:
@@ -521,13 +538,13 @@ class LdapDriver(object):
if attr is None: if attr is None:
return None return None
if ('accessKey' in attr.keys() and 'secretKey' in attr.keys() \ if ('accessKey' in attr.keys() and 'secretKey' in attr.keys() \
and 'isAdmin' in attr.keys()): and LdapDriver.isadmin_attribute in attr.keys()):
return { return {
'id': attr['uid'][0], 'id': attr[FLAGS.ldap_user_id_attribute][0],
'name': attr['cn'][0], 'name': attr[FLAGS.ldap_user_name_attribute][0],
'access': attr['accessKey'][0], 'access': attr['accessKey'][0],
'secret': attr['secretKey'][0], 'secret': attr['secretKey'][0],
'admin': (attr['isAdmin'][0] == 'TRUE')} 'admin': (attr[LdapDriver.isadmin_attribute][0] == 'TRUE')}
else: else:
return None return None
@@ -539,7 +556,8 @@ class LdapDriver(object):
return { return {
'id': attr['cn'][0], 'id': attr['cn'][0],
'name': attr['cn'][0], 'name': attr['cn'][0],
'project_manager_id': self.__dn_to_uid(attr['projectManager'][0]), 'project_manager_id':
self.__dn_to_uid(attr[LdapDriver.project_attribute][0]),
'description': attr.get('description', [None])[0], 'description': attr.get('description', [None])[0],
'member_ids': [self.__dn_to_uid(x) for x in member_dns]} 'member_ids': [self.__dn_to_uid(x) for x in member_dns]}
@@ -549,9 +567,10 @@ class LdapDriver(object):
return dn.split(',')[0].split('=')[1] return dn.split(',')[0].split('=')[1]
@staticmethod @staticmethod
def __uid_to_dn(dn): def __uid_to_dn(uid):
"""Convert uid to dn""" """Convert uid to dn"""
return 'uid=%s,%s' % (dn, FLAGS.ldap_user_subtree) return (FLAGS.ldap_user_id_attribute + '=%s,%s'
% (uid, FLAGS.ldap_user_subtree))
class FakeLdapDriver(LdapDriver): class FakeLdapDriver(LdapDriver):

46
nova/auth/nova_openldap.schema
View File

@@ -1,7 +1,9 @@
# #
# Person object for Nova # Person object for Nova
# inetorgperson with extra attributes # inetorgperson with extra attributes
# Author: Vishvananda Ishaya <vishvananda@yahoo.com> # Schema version: 2
# Authors: Vishvananda Ishaya <vishvananda@gmail.com>
# Ryan Lane <rlane@wikimedia.org>
# #
# #
@@ -30,55 +32,19 @@ attributetype (
SINGLE-VALUE SINGLE-VALUE
) )
attributetype (
novaAttrs:3
NAME 'keyFingerprint'
DESC 'Fingerprint of private key'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
)
attributetype ( attributetype (
novaAttrs:4 novaAttrs:4
NAME 'isAdmin' NAME 'isNovaAdmin'
DESC 'Is user an administrator?' DESC 'Is user an nova administrator?'
EQUALITY booleanMatch EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE SINGLE-VALUE
) )
attributetype (
novaAttrs:5
NAME 'projectManager'
DESC 'Project Managers of a project'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
)
objectClass ( objectClass (
novaOCs:1 novaOCs:1
NAME 'novaUser' NAME 'novaUser'
DESC 'access and secret keys' DESC 'access and secret keys'
AUXILIARY AUXILIARY
MUST ( uid ) MAY ( accessKey $ secretKey $ isNovaAdmin )
MAY ( accessKey $ secretKey $ isAdmin )
)
objectClass (
novaOCs:2
NAME 'novaKeyPair'
DESC 'Key pair for User'
SUP top
STRUCTURAL
MUST ( cn $ sshPublicKey $ keyFingerprint )
)
objectClass (
novaOCs:3
NAME 'novaProject'
DESC 'Container for project'
SUP groupOfNames
STRUCTURAL
MUST ( cn $ projectManager )
) )

13
nova/auth/nova_sun.schema
View File

@@ -1,16 +1,13 @@
# #
# Person object for Nova # Person object for Nova
# inetorgperson with extra attributes # inetorgperson with extra attributes
# Author: Vishvananda Ishaya <vishvananda@yahoo.com> # Schema version: 2
# Modified for strict RFC 4512 compatibility by: Ryan Lane <ryan@ryandlane.com> # Authors: Vishvananda Ishaya <vishvananda@gmail.com>
# Ryan Lane <rlane@wikimedia.org>
# #
# using internet experimental oid arc as per BP64 3.1 # using internet experimental oid arc as per BP64 3.1
dn: cn=schema dn: cn=schema
attributeTypes: ( 1.3.6.1.3.1.666.666.3.1 NAME 'accessKey' DESC 'Key for accessing data' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.3.1.666.666.3.1 NAME 'accessKey' DESC 'Key for accessing data' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.3.1.666.666.3.2 NAME 'secretKey' DESC 'Secret key' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.3.1.666.666.3.2 NAME 'secretKey' DESC 'Secret key' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.3.1.666.666.3.3 NAME 'keyFingerprint' DESC 'Fingerprint of private key' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE) attributeTypes: ( 1.3.6.1.3.1.666.666.3.4 NAME 'isNovaAdmin' DESC 'Is user a nova administrator?' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.3.1.666.666.3.4 NAME 'isAdmin' DESC 'Is user an administrator?' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) objectClasses: ( 1.3.6.1.3.1.666.666.4.1 NAME 'novaUser' DESC 'access and secret keys' SUP top AUXILIARY MAY ( accessKey $ secretKey $ isNovaAdmin ) )
attributeTypes: ( 1.3.6.1.3.1.666.666.3.5 NAME 'projectManager' DESC 'Project Managers of a project' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
objectClasses: ( 1.3.6.1.3.1.666.666.4.1 NAME 'novaUser' DESC 'access and secret keys' SUP top AUXILIARY MUST ( uid ) MAY ( accessKey $ secretKey $ isAdmin ) )
objectClasses: ( 1.3.6.1.3.1.666.666.4.2 NAME 'novaKeyPair' DESC 'Key pair for User' SUP top STRUCTURAL MUST ( cn $ sshPublicKey $ keyFingerprint ) )
objectClasses: ( 1.3.6.1.3.1.666.666.4.3 NAME 'novaProject' DESC 'Container for project' SUP groupOfNames STRUCTURAL MUST ( cn $ projectManager ) )

1
nova/auth/opendj.sh
View File

@@ -32,7 +32,6 @@ abspath=`dirname "$(cd "${0%/*}" 2>/dev/null; echo "$PWD"/"${0##*/}")"`
schemapath='/var/opendj/instance/config/schema' schemapath='/var/opendj/instance/config/schema'
cp $abspath/openssh-lpk_sun.schema $schemapath/97-openssh-lpk_sun.ldif cp $abspath/openssh-lpk_sun.schema $schemapath/97-openssh-lpk_sun.ldif
cp $abspath/nova_sun.schema $schemapath/98-nova_sun.ldif cp $abspath/nova_sun.schema $schemapath/98-nova_sun.ldif
chown opendj:opendj $schemapath/97-openssh-lpk_sun.ldif
chown opendj:opendj $schemapath/98-nova_sun.ldif chown opendj:opendj $schemapath/98-nova_sun.ldif
cat >/etc/ldap/ldap.conf <<LDAP_CONF_EOF cat >/etc/ldap/ldap.conf <<LDAP_CONF_EOF

3
nova/auth/slap.sh
View File

@@ -22,7 +22,7 @@ apt-get install -y slapd ldap-utils python-ldap
abspath=`dirname "$(cd "${0%/*}" 2>/dev/null; echo "$PWD"/"${0##*/}")"` abspath=`dirname "$(cd "${0%/*}" 2>/dev/null; echo "$PWD"/"${0##*/}")"`
cp $abspath/openssh-lpk_openldap.schema /etc/ldap/schema/openssh-lpk_openldap.schema cp $abspath/openssh-lpk_openldap.schema /etc/ldap/schema/openssh-lpk_openldap.schema
cp $abspath/nova_openldap.schema /etc/ldap/schema/nova_openldap.schema cp $abspath/nova_openldap.schema /etc/ldap/schema/nova.schema
mv /etc/ldap/slapd.conf /etc/ldap/slapd.conf.orig mv /etc/ldap/slapd.conf /etc/ldap/slapd.conf.orig
cat >/etc/ldap/slapd.conf <<SLAPD_CONF_EOF cat >/etc/ldap/slapd.conf <<SLAPD_CONF_EOF
@@ -33,7 +33,6 @@ cat >/etc/ldap/slapd.conf <<SLAPD_CONF_EOF
include /etc/ldap/schema/core.schema include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/openssh-lpk_openldap.schema
include /etc/ldap/schema/nova.schema include /etc/ldap/schema/nova.schema
pidfile /var/run/slapd/slapd.pid pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args argsfile /var/run/slapd/slapd.args