Fixes devstack ldap plugin
When the ldap service is enable on local.conf devstack ldap plugin starts slapd service using its default config on Ubuntu and installs ldap-utils package. Enables domain specific drivers on Keystone and creates LDAP domain 'Users' with a demo user. Change-Id: I8d7aa260b01f675e4ed201ef93bfd66474f4b228
This commit is contained in:
parent
b79531a9f9
commit
cc36397134
23
files/ldap/user.ldif.in
Normal file
23
files/ldap/user.ldif.in
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
||||||
|
# implied. See the License for the specific language governing
|
||||||
|
# permissions and limitations under the License.
|
||||||
|
|
||||||
|
# Demo LDAP user
|
||||||
|
dn: cn=demo,ou=Users,${BASE_DN}
|
||||||
|
cn: demo
|
||||||
|
displayName: demo
|
||||||
|
givenName: demo
|
||||||
|
mail: demo@openstack.org
|
||||||
|
objectClass: inetOrgPerson
|
||||||
|
objectClass: top
|
||||||
|
sn: demo
|
||||||
|
uid: demo
|
||||||
|
userPassword: demo
|
@ -106,6 +106,10 @@ function configure_horizon {
|
|||||||
_horizon_config_set $local_settings "" OPENSTACK_SSL_CACERT \"${SSL_BUNDLE_FILE}\"
|
_horizon_config_set $local_settings "" OPENSTACK_SSL_CACERT \"${SSL_BUNDLE_FILE}\"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if is_service_enabled ldap; then
|
||||||
|
_horizon_config_set $local_settings "" OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT "True"
|
||||||
|
fi
|
||||||
|
|
||||||
# Create an empty directory that apache uses as docroot
|
# Create an empty directory that apache uses as docroot
|
||||||
sudo mkdir -p $HORIZON_DIR/.blackhole
|
sudo mkdir -p $HORIZON_DIR/.blackhole
|
||||||
|
|
||||||
|
72
lib/keystone
72
lib/keystone
@ -219,17 +219,10 @@ function configure_keystone {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# Rewrite stock ``keystone.conf``
|
# Rewrite stock ``keystone.conf``
|
||||||
|
|
||||||
if is_service_enabled ldap; then
|
if is_service_enabled ldap; then
|
||||||
#Set all needed ldap values
|
iniset $KEYSTONE_CONF identity domain_config_dir "$KEYSTONE_CONF_DIR/domains"
|
||||||
iniset $KEYSTONE_CONF ldap password $LDAP_PASSWORD
|
iniset $KEYSTONE_CONF identity domain_specific_drivers_enabled "True"
|
||||||
iniset $KEYSTONE_CONF ldap user $LDAP_MANAGER_DN
|
|
||||||
iniset $KEYSTONE_CONF ldap suffix $LDAP_BASE_DN
|
|
||||||
iniset $KEYSTONE_CONF ldap user_tree_dn "ou=Users,$LDAP_BASE_DN"
|
|
||||||
iniset $KEYSTONE_CONF DEFAULT member_role_id "9fe2ff9ee4384b1894a90878d3e92bab"
|
|
||||||
iniset $KEYSTONE_CONF DEFAULT member_role_name "_member_"
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
iniset $KEYSTONE_CONF identity driver "$KEYSTONE_IDENTITY_BACKEND"
|
iniset $KEYSTONE_CONF identity driver "$KEYSTONE_IDENTITY_BACKEND"
|
||||||
iniset $KEYSTONE_CONF identity password_hash_rounds $KEYSTONE_PASSWORD_HASH_ROUNDS
|
iniset $KEYSTONE_CONF identity password_hash_rounds $KEYSTONE_PASSWORD_HASH_ROUNDS
|
||||||
iniset $KEYSTONE_CONF assignment driver "$KEYSTONE_ASSIGNMENT_BACKEND"
|
iniset $KEYSTONE_CONF assignment driver "$KEYSTONE_ASSIGNMENT_BACKEND"
|
||||||
@ -410,6 +403,10 @@ function create_keystone_accounts {
|
|||||||
get_or_add_group_project_role $member_role $non_admin_group $alt_demo_project
|
get_or_add_group_project_role $member_role $non_admin_group $alt_demo_project
|
||||||
get_or_add_group_project_role $another_role $non_admin_group $alt_demo_project
|
get_or_add_group_project_role $another_role $non_admin_group $alt_demo_project
|
||||||
get_or_add_group_project_role $admin_role $admin_group $admin_project
|
get_or_add_group_project_role $admin_role $admin_group $admin_project
|
||||||
|
|
||||||
|
if is_service_enabled ldap; then
|
||||||
|
create_ldap_domain
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# Create a user that is capable of verifying keystone tokens for use with auth_token middleware.
|
# Create a user that is capable of verifying keystone tokens for use with auth_token middleware.
|
||||||
@ -615,6 +612,63 @@ function bootstrap_keystone {
|
|||||||
--bootstrap-public-url "$KEYSTONE_SERVICE_URI"
|
--bootstrap-public-url "$KEYSTONE_SERVICE_URI"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# create_ldap_domain() - Create domain file and initialize domain with a user
|
||||||
|
function create_ldap_domain {
|
||||||
|
# Creates domain Users
|
||||||
|
openstack --os-identity-api-version=3 domain create --description "LDAP domain" Users
|
||||||
|
|
||||||
|
# Create domain file inside etc/keystone/domains
|
||||||
|
KEYSTONE_LDAP_DOMAIN_FILE=$KEYSTONE_CONF_DIR/domains/keystone.Users.conf
|
||||||
|
mkdir -p "$KEYSTONE_CONF_DIR/domains"
|
||||||
|
touch "$KEYSTONE_LDAP_DOMAIN_FILE"
|
||||||
|
|
||||||
|
# Set identity driver 'ldap'
|
||||||
|
iniset $KEYSTONE_LDAP_DOMAIN_FILE identity driver "ldap"
|
||||||
|
|
||||||
|
# LDAP settings for Users domain
|
||||||
|
iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap group_allow_delete "False"
|
||||||
|
iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap group_allow_update "False"
|
||||||
|
iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap group_allow_create "False"
|
||||||
|
iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap user_allow_delete "False"
|
||||||
|
iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap user_allow_update "False"
|
||||||
|
iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap user_allow_create "False"
|
||||||
|
iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap user_tree_dn "ou=Users,$LDAP_BASE_DN"
|
||||||
|
iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap user_objectclass "inetOrgPerson"
|
||||||
|
iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap user_name_attribute "cn"
|
||||||
|
iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap user_mail_attribute "mail"
|
||||||
|
iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap user_id_attribute "uid"
|
||||||
|
iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap user "cn=Manager,dc=openstack,dc=org"
|
||||||
|
iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap url "ldap://localhost"
|
||||||
|
iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap suffix $LDAP_BASE_DN
|
||||||
|
iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap password $LDAP_PASSWORD
|
||||||
|
iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap group_tree_dn "ou=Groups,$LDAP_BASE_DN"
|
||||||
|
iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap group_objectclass "groupOfNames"
|
||||||
|
iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap group_name_attribute "cn"
|
||||||
|
iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap group_id_attribute "cn"
|
||||||
|
|
||||||
|
# Restart apache and identity services to associate domain and conf file
|
||||||
|
sudo service apache2 reload
|
||||||
|
sudo systemctl restart devstack@keystone
|
||||||
|
|
||||||
|
# Create LDAP user.ldif and add user to LDAP backend
|
||||||
|
local tmp_ldap_dir
|
||||||
|
tmp_ldap_dir=$(mktemp -d -t ldap.$$.XXXXXXXXXX)
|
||||||
|
|
||||||
|
_ldap_varsubst $FILES/ldap/user.ldif.in $slappass >$tmp_ldap_dir/user.ldif
|
||||||
|
sudo ldapadd -x -w $LDAP_PASSWORD -D "$LDAP_MANAGER_DN" -H $LDAP_URL -c -f $tmp_ldap_dir/user.ldif
|
||||||
|
rm -rf $tmp_ldap_dir
|
||||||
|
|
||||||
|
local admin_project
|
||||||
|
admin_project=$(get_or_create_project "admin" default)
|
||||||
|
local ldap_user
|
||||||
|
ldap_user=$(openstack user show --domain=Users demo -f value -c id)
|
||||||
|
local admin_role="admin"
|
||||||
|
get_or_create_role $admin_role
|
||||||
|
|
||||||
|
# Grant demo LDAP user access to project and role
|
||||||
|
get_or_add_user_project_role $admin_role $ldap_user $admin_project
|
||||||
|
}
|
||||||
|
|
||||||
# Restore xtrace
|
# Restore xtrace
|
||||||
$_XTRACE_KEYSTONE
|
$_XTRACE_KEYSTONE
|
||||||
|
|
||||||
|
24
lib/ldap
24
lib/ldap
@ -119,8 +119,7 @@ function install_ldap {
|
|||||||
|
|
||||||
printf "installing OpenLDAP"
|
printf "installing OpenLDAP"
|
||||||
if is_ubuntu; then
|
if is_ubuntu; then
|
||||||
# Ubuntu automatically starts LDAP so no need to call start_ldap()
|
configure_ldap
|
||||||
:
|
|
||||||
elif is_fedora; then
|
elif is_fedora; then
|
||||||
start_ldap
|
start_ldap
|
||||||
elif is_suse; then
|
elif is_suse; then
|
||||||
@ -148,6 +147,27 @@ function install_ldap {
|
|||||||
rm -rf $tmp_ldap_dir
|
rm -rf $tmp_ldap_dir
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# configure_ldap() - Configure LDAP - reconfigure slapd
|
||||||
|
function configure_ldap {
|
||||||
|
sudo debconf-set-selections <<EOF
|
||||||
|
slapd slapd/internal/generated_adminpw password $LDAP_PASSWORD
|
||||||
|
slapd slapd/internal/adminpw password $LDAP_PASSWORD
|
||||||
|
slapd slapd/password2 password $LDAP_PASSWORD
|
||||||
|
slapd slapd/password1 password $LDAP_PASSWORD
|
||||||
|
slapd slapd/dump_database_destdir string /var/backups/slapd-VERSION
|
||||||
|
slapd slapd/domain string Users
|
||||||
|
slapd shared/organization string $LDAP_DOMAIN
|
||||||
|
slapd slapd/backend string HDB
|
||||||
|
slapd slapd/purge_database boolean true
|
||||||
|
slapd slapd/move_old_database boolean true
|
||||||
|
slapd slapd/allow_ldap_v2 boolean false
|
||||||
|
slapd slapd/no_configuration boolean false
|
||||||
|
slapd slapd/dump_database select when needed
|
||||||
|
EOF
|
||||||
|
sudo apt-get install -y slapd ldap-utils
|
||||||
|
sudo dpkg-reconfigure -f noninteractive $LDAP_SERVICE_NAME
|
||||||
|
}
|
||||||
|
|
||||||
# start_ldap() - Start LDAP
|
# start_ldap() - Start LDAP
|
||||||
function start_ldap {
|
function start_ldap {
|
||||||
sudo service $LDAP_SERVICE_NAME restart
|
sudo service $LDAP_SERVICE_NAME restart
|
||||||
|
Loading…
x
Reference in New Issue
Block a user