@@ -15,6 +15,8 @@ TOP_DIR=$(cd $(dirname "$0") && pwd)

 # Import common functions

 source $TOP_DIR/functions

+FILES=$TOP_DIR/files

+

 # Load local configuration

 source $TOP_DIR/stackrc

@@ -84,6 +86,10 @@ cleanup_nova

 cleanup_neutron

 cleanup_swift

+if is_service_enabled ldap; then

+    cleanup_ldap

+fi

+

 # Do the hypervisor cleanup until this can be moved back into lib/nova

 if [[ -r $NOVA_PLUGINS/hypervisor-$VIRT_DRIVER ]]; then

     cleanup_nova_hypervisor

@@ -1,3 +1,3 @@

 ldap-utils

-slapd # NOPRIME

+slapd

 python-ldap

deleted file mode 100644

@@ -1,19 +0,0 @@

-dn: cn=config

-objectClass: olcGlobal

-cn: config

-olcArgsFile: /var/run/slapd/slapd.args

-olcAuthzRegexp: {0}gidNumber=0\+uidNumber=0,cn=peercred,cn=external,cn=auth dn

- :cn=config

-olcPidFile: /var/run/slapd/slapd.pid

-olcSizeLimit: 10000

-

-dn: cn=schema,cn=config

-objectClass: olcSchemaConfig

-cn: schema

-

-include: file:///etc/openldap/schema/core.ldif

-

-dn: olcDatabase={1}hdb,cn=config

-objectClass: olcHdbConfig

-olcDbDirectory: /var/lib/ldap

-olcSuffix: dc=openstack,dc=org

new file mode 100644

@@ -0,0 +1,26 @@

+dn: ${BASE_DN}

+objectClass: dcObject

+objectClass: organizationalUnit

+dc: ${BASE_DC}

+ou: ${BASE_DC}

+

+dn: ou=UserGroups,${BASE_DN}

+objectClass: organizationalUnit

+ou: UserGroups

+

+dn: ou=Users,${BASE_DN}

+objectClass: organizationalUnit

+ou: Users

+

+dn: ou=Roles,${BASE_DN}

+objectClass: organizationalUnit

+ou: Roles

+

+dn: ou=Projects,${BASE_DN}

+objectClass: organizationalUnit

+ou: Projects

+

+dn: cn=9fe2ff9ee4384b1894a90878d3e92bab,ou=Roles,${BASE_DN}

+objectClass: organizationalRole

+ou: _member_

+cn: 9fe2ff9ee4384b1894a90878d3e92bab

@@ -1,10 +1,15 @@

 dn: olcDatabase={${LDAP_OLCDB_NUMBER}}hdb,cn=config

 changetype: modify

 replace: olcSuffix

-olcSuffix: dc=openstack,dc=org

+olcSuffix: ${BASE_DN}

 -

 replace: olcRootDN

-olcRootDN: dc=Manager,dc=openstack,dc=org

+olcRootDN: ${MANAGER_DN}

 -

 ${LDAP_ROOTPW_COMMAND}: olcRootPW

 olcRootPW: ${SLAPPASS}

+-

+replace: olcDbIndex

+olcDbIndex: objectClass eq

+olcDbIndex: default pres,eq

+olcDbIndex: cn,sn,givenName,co

deleted file mode 100644

@@ -1,26 +0,0 @@

-dn: dc=openstack,dc=org

-dc: openstack

-objectClass: dcObject

-objectClass: organizationalUnit

-ou: openstack

-

-dn: ou=UserGroups,dc=openstack,dc=org

-objectClass: organizationalUnit

-ou: UserGroups

-

-dn: ou=Users,dc=openstack,dc=org

-objectClass: organizationalUnit

-ou: Users

-

-dn: ou=Roles,dc=openstack,dc=org

-objectClass: organizationalUnit

-ou: Roles

-

-dn: ou=Projects,dc=openstack,dc=org

-objectClass: organizationalUnit

-ou: Projects

-

-dn: cn=9fe2ff9ee4384b1894a90878d3e92bab,ou=Roles,dc=openstack,dc=org

-objectClass: organizationalRole

-ou: _member_

-cn: 9fe2ff9ee4384b1894a90878d3e92bab

new file mode 100644

@@ -0,0 +1,21 @@

+dn: cn=config

+objectClass: olcGlobal

+cn: config

+olcArgsFile: /var/run/slapd/slapd.args

+olcAuthzRegexp: {0}gidNumber=0\+uidNumber=0,cn=peercred,cn=external,cn=auth dn

+ :cn=config

+olcPidFile: /var/run/slapd/slapd.pid

+olcSizeLimit: 10000

+

+dn: cn=schema,cn=config

+objectClass: olcSchemaConfig

+cn: schema

+

+include: file:///etc/openldap/schema/core.ldif

+include: file:///etc/openldap/schema/cosine.ldif

+include: file:///etc/openldap/schema/inetorgperson.ldif

+

+dn: olcDatabase={1}hdb,cn=config

+objectClass: olcHdbConfig

+olcDbDirectory: /var/lib/ldap

+olcSuffix: ${BASE_DN}

@@ -151,17 +151,17 @@ function configure_keystone() {

     if is_service_enabled ldap; then

         #Set all needed ldap values

-        iniset $KEYSTONE_CONF ldap password  $LDAP_PASSWORD

-        iniset $KEYSTONE_CONF ldap user "dc=Manager,dc=openstack,dc=org"

-        iniset $KEYSTONE_CONF ldap suffix "dc=openstack,dc=org"

+        iniset $KEYSTONE_CONF ldap password $LDAP_PASSWORD

+        iniset $KEYSTONE_CONF ldap user $LDAP_MANAGER_DN

+        iniset $KEYSTONE_CONF ldap suffix $LDAP_BASE_DN

         iniset $KEYSTONE_CONF ldap use_dumb_member "True"

         iniset $KEYSTONE_CONF ldap user_attribute_ignore "enabled,email,tenants,default_project_id"

         iniset $KEYSTONE_CONF ldap tenant_attribute_ignore "enabled"

         iniset $KEYSTONE_CONF ldap tenant_domain_id_attribute "businessCategory"

         iniset $KEYSTONE_CONF ldap tenant_desc_attribute "description"

-        iniset $KEYSTONE_CONF ldap tenant_tree_dn "ou=Projects,dc=openstack,dc=org"

+        iniset $KEYSTONE_CONF ldap tenant_tree_dn "ou=Projects,$LDAP_BASE_DN"

         iniset $KEYSTONE_CONF ldap user_domain_id_attribute "businessCategory"

-        iniset $KEYSTONE_CONF ldap user_tree_dn "ou=Users,dc=openstack,dc=org"

+        iniset $KEYSTONE_CONF ldap user_tree_dn "ou=Users,$LDAP_BASE_DN"

         iniset $KEYSTONE_CONF DEFAULT member_role_id "9fe2ff9ee4384b1894a90878d3e92bab"

         iniset $KEYSTONE_CONF DEFAULT member_role_name "_member_"

     fi

@@ -337,6 +337,10 @@ create_keystone_accounts() {

 # init_keystone() - Initialize databases, etc.

 function init_keystone() {

+    if is_service_enabled ldap; then

+        init_ldap

+    fi

+

     # (Re)create keystone database

     recreate_database keystone utf8

@@ -9,68 +9,137 @@

 XTRACE=$(set +o | grep xtrace)

 set +o xtrace

+

+LDAP_DOMAIN=${LDAP_DOMAIN:-openstack.org}

+# Make an array of domain components

+DC=(${LDAP_DOMAIN/./ })

+

+# Leftmost domain component used in top-level entry

+LDAP_BASE_DC=${DC[0]}

+

+# Build the base DN

+dn=""

+for dc in ${DC[*]}; do

+    dn="$dn,dc=$dc"

+done

+LDAP_BASE_DN=${dn#,}

+

+LDAP_MANAGER_DN="${LDAP_MANAGER_DN:-cn=Manager,${LDAP_BASE_DN}}"

+LDAP_URL=${LDAP_URL:-ldap://localhost}

+

 LDAP_SERVICE_NAME=slapd

+if is_ubuntu; then

+    LDAP_OLCDB_NUMBER=1

+    LDAP_ROOTPW_COMMAND=replace

+elif is_fedora; then

+    LDAP_OLCDB_NUMBER=2

+    LDAP_ROOTPW_COMMAND=add

+elif is_suse; then

+    # SUSE has slappasswd in /usr/sbin/

+    PATH=$PATH:/usr/sbin/

+    LDAP_OLCDB_NUMBER=1

+    LDAP_ROOTPW_COMMAND=add

+    LDAP_SERVICE_NAME=ldap

+fi

+

+

 # Functions

 # ---------

+# Perform common variable substitutions on the data files

+# _ldap_varsubst file

+function _ldap_varsubst() {

+    local infile=$1

+    sed -e "

+        s|\${LDAP_OLCDB_NUMBER}|$LDAP_OLCDB_NUMBER|

+        s|\${SLAPPASS}|$SLAPPASS|

+        s|\${LDAP_ROOTPW_COMMAND}|$LDAP_ROOTPW_COMMAND|

+        s|\${BASE_DC}|$LDAP_BASE_DC|

+        s|\${BASE_DN}|$LDAP_BASE_DN|

+        s|\${MANAGER_DN}|$LDAP_MANAGER_DN|

+    " $infile

+}

+

+# clean_ldap() - Remove ldap server

+function cleanup_ldap() {

+    uninstall_package $(get_packages ldap)

+    if is_ubuntu; then

+        uninstall_package slapd ldap-utils libslp1

+        sudo rm -rf /etc/ldap/ldap.conf /var/lib/ldap

+    elif is_fedora; then

+        sudo rm -rf /etc/openldap /var/lib/ldap

+    elif is_suse; then

+        sudo rm -rf /var/lib/ldap

+    fi

+}

+

+# init_ldap

+# init_ldap() - Initialize databases, etc.

+function init_ldap() {

+    local keystone_ldif

+

+    TMP_LDAP_DIR=$(mktemp -d -t ldap.$$.XXXXXXXXXX)

+

+    # Remove data but not schemas

+    clear_ldap_state

+

+    # Add our top level ldap nodes

+    if ldapsearch -x -w $LDAP_PASSWORD -D "$LDAP_MANAGER_DN" -H $LDAP_URL -b "$LDAP_BASE_DN" | grep -q "Success"; then

+        printf "LDAP already configured for $LDAP_BASE_DC\n"

+    else

+        printf "Configuring LDAP for $LDAP_BASE_DC\n"

+        # If BASE_DN is changed, the user may override the default file

+        if [[ -r $FILES/ldap/${LDAP_BASE_DC}.ldif.in ]]; then

+            keystone_ldif=${LDAP_BASE_DC}.ldif

+        else

+            keystone_ldif=keystone.ldif

+        fi

+        _ldap_varsubst $FILES/ldap/${keystone_ldif}.in >$TMP_LDAP_DIR/${keystone_ldif}

+        if [[ -r $TMP_LDAP_DIR/${keystone_ldif} ]]; then

+            ldapadd -x -w $LDAP_PASSWORD -D "$LDAP_MANAGER_DN" -H $LDAP_URL -c -f $TMP_LDAP_DIR/${keystone_ldif}

+        fi

+    fi

+

+    rm -rf TMP_LDAP_DIR

+}

+

 # install_ldap

 # install_ldap() - Collect source and prepare

 function install_ldap() {

     echo "Installing LDAP inside function"

-    echo "LDAP_PASSWORD is $LDAP_PASSWORD"

     echo "os_VENDOR is $os_VENDOR"

-    printf "installing"

+

+    TMP_LDAP_DIR=$(mktemp -d -t ldap.$$.XXXXXXXXXX)

+

+    printf "installing OpenLDAP"

     if is_ubuntu; then

-        LDAP_OLCDB_NUMBER=1

-        LDAP_ROOTPW_COMMAND=replace

-        sudo DEBIAN_FRONTEND=noninteractive apt-get install slapd ldap-utils

-        #automatically starts LDAP on ubuntu so no need to call start_ldap

+        # Ubuntu automatically starts LDAP so no need to call start_ldap()

+        :

     elif is_fedora; then

-        LDAP_OLCDB_NUMBER=2

-        LDAP_ROOTPW_COMMAND=add

         start_ldap

     elif is_suse; then

-        LDAP_OLCDB_NUMBER=1

-        LDAP_ROOTPW_COMMAND=add

-        LDAP_SERVICE_NAME=ldap

-        # SUSE has slappasswd in /usr/sbin/

-        PATH=$PATH:/usr/sbin/

-        sudo slapadd -F /etc/openldap/slapd.d/ -bcn=config -l $FILES/ldap/base-config.ldif

+        _ldap_varsubst $FILES/ldap/suse-base-config.ldif.in >$TMP_LDAP_DIR/suse-base-config.ldif

+        sudo slapadd -F /etc/openldap/slapd.d/ -bcn=config -l $TMP_LDAP_DIR/suse-base-config.ldif

         sudo sed -i '/^OPENLDAP_START_LDAPI=/s/"no"/"yes"/g' /etc/sysconfig/openldap

         start_ldap

     fi

-    printf "generate password file"

-    SLAPPASS=`slappasswd -s $LDAP_PASSWORD`

-

-    printf "secret is $SLAPPASS\n"

-    #create manager.ldif

-    TMP_MGR_DIFF_FILE=`mktemp -t manager_ldiff.$$.XXXXXXXXXX.ldif`

-    sed -e "s|\${LDAP_OLCDB_NUMBER}|$LDAP_OLCDB_NUMBER|" -e "s|\${SLAPPASS}|$SLAPPASS|" -e "s|\${LDAP_ROOTPW_COMMAND}|$LDAP_ROOTPW_COMMAND|" $FILES/ldap/manager.ldif.in >> $TMP_MGR_DIFF_FILE

+    echo "LDAP_PASSWORD is $LDAP_PASSWORD"

+    SLAPPASS=$(slappasswd -s $LDAP_PASSWORD)

+    printf "LDAP secret is $SLAPPASS\n"

-    #update ldap olcdb

-    sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f $TMP_MGR_DIFF_FILE

+    # Create manager.ldif and add to olcdb

+    _ldap_varsubst $FILES/ldap/manager.ldif.in >$TMP_LDAP_DIR/manager.ldif

+    sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f $TMP_LDAP_DIR/manager.ldif

     # On fedora we need to manually add cosine and inetorgperson schemas

-    if is_fedora || is_suse; then

+    if is_fedora; then

         sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif

         sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

     fi

-    # add our top level ldap nodes

-    if ldapsearch -x -w $LDAP_PASSWORD -H ldap://localhost -D dc=Manager,dc=openstack,dc=org -x -b dc=openstack,dc=org | grep -q "Success"; then

-        printf "LDAP already configured for OpenStack\n"

-        if [[ "$KEYSTONE_CLEAR_LDAP" == "yes" ]]; then

-            # clear LDAP state

-            clear_ldap_state

-            # reconfigure LDAP for OpenStack

-            ldapadd -c -x -H ldap://localhost -D dc=Manager,dc=openstack,dc=org -w $LDAP_PASSWORD -f  $FILES/ldap/openstack.ldif

-        fi

-    else

-        printf "Configuring LDAP for OpenStack\n"

-        ldapadd -c -x -H ldap://localhost -D dc=Manager,dc=openstack,dc=org -w $LDAP_PASSWORD -f  $FILES/ldap/openstack.ldif

-    fi

+    rm -rf TMP_LDAP_DIR

 }

 # start_ldap() - Start LDAP

@@ -78,7 +147,6 @@ function start_ldap() {

     sudo service $LDAP_SERVICE_NAME restart

 }

-

 # stop_ldap() - Stop LDAP

 function stop_ldap() {

     sudo service $LDAP_SERVICE_NAME stop

@@ -86,7 +154,7 @@ function stop_ldap() {

 # clear_ldap_state() - Clear LDAP State

 function clear_ldap_state() {

-    ldapdelete -x -w $LDAP_PASSWORD -H ldap://localhost -D dc=Manager,dc=openstack,dc=org -x -r "dc=openstack,dc=org"

+    ldapdelete -x -w $LDAP_PASSWORD -D "$LDAP_MANAGER_DN" -H $LDAP_URL -r "$LDAP_BASE_DN"

 }

 # Restore xtrace