* Build the base DN from a given domain name
* Remove all hard-coded names to allow configuration of base DN
* Fix manager DN (cn=Manager,dc=...)
* Add ldap init_ldap()
* Add support for clean.sh
Change-Id: Ieb69be9740653645b8e000574ad3fe59a0f97540
... | ... |
@@ -15,6 +15,8 @@ TOP_DIR=$(cd $(dirname "$0") && pwd) |
15 | 15 |
# Import common functions |
16 | 16 |
source $TOP_DIR/functions |
17 | 17 |
|
18 |
+FILES=$TOP_DIR/files |
|
19 |
+ |
|
18 | 20 |
# Load local configuration |
19 | 21 |
source $TOP_DIR/stackrc |
20 | 22 |
|
... | ... |
@@ -84,6 +86,10 @@ cleanup_nova |
84 | 84 |
cleanup_neutron |
85 | 85 |
cleanup_swift |
86 | 86 |
|
87 |
+if is_service_enabled ldap; then |
|
88 |
+ cleanup_ldap |
|
89 |
+fi |
|
90 |
+ |
|
87 | 91 |
# Do the hypervisor cleanup until this can be moved back into lib/nova |
88 | 92 |
if [[ -r $NOVA_PLUGINS/hypervisor-$VIRT_DRIVER ]]; then |
89 | 93 |
cleanup_nova_hypervisor |
4 | 4 |
deleted file mode 100644 |
... | ... |
@@ -1,19 +0,0 @@ |
1 |
-dn: cn=config |
|
2 |
-objectClass: olcGlobal |
|
3 |
-cn: config |
|
4 |
-olcArgsFile: /var/run/slapd/slapd.args |
|
5 |
-olcAuthzRegexp: {0}gidNumber=0\+uidNumber=0,cn=peercred,cn=external,cn=auth dn |
|
6 |
- :cn=config |
|
7 |
-olcPidFile: /var/run/slapd/slapd.pid |
|
8 |
-olcSizeLimit: 10000 |
|
9 |
- |
|
10 |
-dn: cn=schema,cn=config |
|
11 |
-objectClass: olcSchemaConfig |
|
12 |
-cn: schema |
|
13 |
- |
|
14 |
-include: file:///etc/openldap/schema/core.ldif |
|
15 |
- |
|
16 |
-dn: olcDatabase={1}hdb,cn=config |
|
17 |
-objectClass: olcHdbConfig |
|
18 |
-olcDbDirectory: /var/lib/ldap |
|
19 |
-olcSuffix: dc=openstack,dc=org |
20 | 1 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,26 @@ |
0 |
+dn: ${BASE_DN} |
|
1 |
+objectClass: dcObject |
|
2 |
+objectClass: organizationalUnit |
|
3 |
+dc: ${BASE_DC} |
|
4 |
+ou: ${BASE_DC} |
|
5 |
+ |
|
6 |
+dn: ou=UserGroups,${BASE_DN} |
|
7 |
+objectClass: organizationalUnit |
|
8 |
+ou: UserGroups |
|
9 |
+ |
|
10 |
+dn: ou=Users,${BASE_DN} |
|
11 |
+objectClass: organizationalUnit |
|
12 |
+ou: Users |
|
13 |
+ |
|
14 |
+dn: ou=Roles,${BASE_DN} |
|
15 |
+objectClass: organizationalUnit |
|
16 |
+ou: Roles |
|
17 |
+ |
|
18 |
+dn: ou=Projects,${BASE_DN} |
|
19 |
+objectClass: organizationalUnit |
|
20 |
+ou: Projects |
|
21 |
+ |
|
22 |
+dn: cn=9fe2ff9ee4384b1894a90878d3e92bab,ou=Roles,${BASE_DN} |
|
23 |
+objectClass: organizationalRole |
|
24 |
+ou: _member_ |
|
25 |
+cn: 9fe2ff9ee4384b1894a90878d3e92bab |
... | ... |
@@ -1,10 +1,15 @@ |
1 | 1 |
dn: olcDatabase={${LDAP_OLCDB_NUMBER}}hdb,cn=config |
2 | 2 |
changetype: modify |
3 | 3 |
replace: olcSuffix |
4 |
-olcSuffix: dc=openstack,dc=org |
|
4 |
+olcSuffix: ${BASE_DN} |
|
5 | 5 |
- |
6 | 6 |
replace: olcRootDN |
7 |
-olcRootDN: dc=Manager,dc=openstack,dc=org |
|
7 |
+olcRootDN: ${MANAGER_DN} |
|
8 | 8 |
- |
9 | 9 |
${LDAP_ROOTPW_COMMAND}: olcRootPW |
10 | 10 |
olcRootPW: ${SLAPPASS} |
11 |
+- |
|
12 |
+replace: olcDbIndex |
|
13 |
+olcDbIndex: objectClass eq |
|
14 |
+olcDbIndex: default pres,eq |
|
15 |
+olcDbIndex: cn,sn,givenName,co |
11 | 16 |
deleted file mode 100644 |
... | ... |
@@ -1,26 +0,0 @@ |
1 |
-dn: dc=openstack,dc=org |
|
2 |
-dc: openstack |
|
3 |
-objectClass: dcObject |
|
4 |
-objectClass: organizationalUnit |
|
5 |
-ou: openstack |
|
6 |
- |
|
7 |
-dn: ou=UserGroups,dc=openstack,dc=org |
|
8 |
-objectClass: organizationalUnit |
|
9 |
-ou: UserGroups |
|
10 |
- |
|
11 |
-dn: ou=Users,dc=openstack,dc=org |
|
12 |
-objectClass: organizationalUnit |
|
13 |
-ou: Users |
|
14 |
- |
|
15 |
-dn: ou=Roles,dc=openstack,dc=org |
|
16 |
-objectClass: organizationalUnit |
|
17 |
-ou: Roles |
|
18 |
- |
|
19 |
-dn: ou=Projects,dc=openstack,dc=org |
|
20 |
-objectClass: organizationalUnit |
|
21 |
-ou: Projects |
|
22 |
- |
|
23 |
-dn: cn=9fe2ff9ee4384b1894a90878d3e92bab,ou=Roles,dc=openstack,dc=org |
|
24 |
-objectClass: organizationalRole |
|
25 |
-ou: _member_ |
|
26 |
-cn: 9fe2ff9ee4384b1894a90878d3e92bab |
27 | 1 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,21 @@ |
0 |
+dn: cn=config |
|
1 |
+objectClass: olcGlobal |
|
2 |
+cn: config |
|
3 |
+olcArgsFile: /var/run/slapd/slapd.args |
|
4 |
+olcAuthzRegexp: {0}gidNumber=0\+uidNumber=0,cn=peercred,cn=external,cn=auth dn |
|
5 |
+ :cn=config |
|
6 |
+olcPidFile: /var/run/slapd/slapd.pid |
|
7 |
+olcSizeLimit: 10000 |
|
8 |
+ |
|
9 |
+dn: cn=schema,cn=config |
|
10 |
+objectClass: olcSchemaConfig |
|
11 |
+cn: schema |
|
12 |
+ |
|
13 |
+include: file:///etc/openldap/schema/core.ldif |
|
14 |
+include: file:///etc/openldap/schema/cosine.ldif |
|
15 |
+include: file:///etc/openldap/schema/inetorgperson.ldif |
|
16 |
+ |
|
17 |
+dn: olcDatabase={1}hdb,cn=config |
|
18 |
+objectClass: olcHdbConfig |
|
19 |
+olcDbDirectory: /var/lib/ldap |
|
20 |
+olcSuffix: ${BASE_DN} |
... | ... |
@@ -143,17 +143,17 @@ function configure_keystone() { |
143 | 143 |
|
144 | 144 |
if is_service_enabled ldap; then |
145 | 145 |
#Set all needed ldap values |
146 |
- iniset $KEYSTONE_CONF ldap password $LDAP_PASSWORD |
|
147 |
- iniset $KEYSTONE_CONF ldap user "dc=Manager,dc=openstack,dc=org" |
|
148 |
- iniset $KEYSTONE_CONF ldap suffix "dc=openstack,dc=org" |
|
146 |
+ iniset $KEYSTONE_CONF ldap password $LDAP_PASSWORD |
|
147 |
+ iniset $KEYSTONE_CONF ldap user $LDAP_MANAGER_DN |
|
148 |
+ iniset $KEYSTONE_CONF ldap suffix $LDAP_BASE_DN |
|
149 | 149 |
iniset $KEYSTONE_CONF ldap use_dumb_member "True" |
150 | 150 |
iniset $KEYSTONE_CONF ldap user_attribute_ignore "enabled,email,tenants,default_project_id" |
151 | 151 |
iniset $KEYSTONE_CONF ldap tenant_attribute_ignore "enabled" |
152 | 152 |
iniset $KEYSTONE_CONF ldap tenant_domain_id_attribute "businessCategory" |
153 | 153 |
iniset $KEYSTONE_CONF ldap tenant_desc_attribute "description" |
154 |
- iniset $KEYSTONE_CONF ldap tenant_tree_dn "ou=Projects,dc=openstack,dc=org" |
|
154 |
+ iniset $KEYSTONE_CONF ldap tenant_tree_dn "ou=Projects,$LDAP_BASE_DN" |
|
155 | 155 |
iniset $KEYSTONE_CONF ldap user_domain_id_attribute "businessCategory" |
156 |
- iniset $KEYSTONE_CONF ldap user_tree_dn "ou=Users,dc=openstack,dc=org" |
|
156 |
+ iniset $KEYSTONE_CONF ldap user_tree_dn "ou=Users,$LDAP_BASE_DN" |
|
157 | 157 |
iniset $KEYSTONE_CONF DEFAULT member_role_id "9fe2ff9ee4384b1894a90878d3e92bab" |
158 | 158 |
iniset $KEYSTONE_CONF DEFAULT member_role_name "_member_" |
159 | 159 |
fi |
... | ... |
@@ -320,6 +320,10 @@ create_keystone_accounts() { |
320 | 320 |
|
321 | 321 |
# init_keystone() - Initialize databases, etc. |
322 | 322 |
function init_keystone() { |
323 |
+ if is_service_enabled ldap; then |
|
324 |
+ init_ldap |
|
325 |
+ fi |
|
326 |
+ |
|
323 | 327 |
# (Re)create keystone database |
324 | 328 |
recreate_database keystone utf8 |
325 | 329 |
|
... | ... |
@@ -9,68 +9,137 @@ |
9 | 9 |
XTRACE=$(set +o | grep xtrace) |
10 | 10 |
set +o xtrace |
11 | 11 |
|
12 |
+ |
|
13 |
+LDAP_DOMAIN=${LDAP_DOMAIN:-openstack.org} |
|
14 |
+# Make an array of domain components |
|
15 |
+DC=(${LDAP_DOMAIN/./ }) |
|
16 |
+ |
|
17 |
+# Leftmost domain component used in top-level entry |
|
18 |
+LDAP_BASE_DC=${DC[0]} |
|
19 |
+ |
|
20 |
+# Build the base DN |
|
21 |
+dn="" |
|
22 |
+for dc in ${DC[*]}; do |
|
23 |
+ dn="$dn,dc=$dc" |
|
24 |
+done |
|
25 |
+LDAP_BASE_DN=${dn#,} |
|
26 |
+ |
|
27 |
+LDAP_MANAGER_DN="${LDAP_MANAGER_DN:-cn=Manager,${LDAP_BASE_DN}}" |
|
28 |
+LDAP_URL=${LDAP_URL:-ldap://localhost} |
|
29 |
+ |
|
12 | 30 |
LDAP_SERVICE_NAME=slapd |
13 | 31 |
|
32 |
+if is_ubuntu; then |
|
33 |
+ LDAP_OLCDB_NUMBER=1 |
|
34 |
+ LDAP_ROOTPW_COMMAND=replace |
|
35 |
+elif is_fedora; then |
|
36 |
+ LDAP_OLCDB_NUMBER=2 |
|
37 |
+ LDAP_ROOTPW_COMMAND=add |
|
38 |
+elif is_suse; then |
|
39 |
+ # SUSE has slappasswd in /usr/sbin/ |
|
40 |
+ PATH=$PATH:/usr/sbin/ |
|
41 |
+ LDAP_OLCDB_NUMBER=1 |
|
42 |
+ LDAP_ROOTPW_COMMAND=add |
|
43 |
+ LDAP_SERVICE_NAME=ldap |
|
44 |
+fi |
|
45 |
+ |
|
46 |
+ |
|
14 | 47 |
# Functions |
15 | 48 |
# --------- |
16 | 49 |
|
50 |
+# Perform common variable substitutions on the data files |
|
51 |
+# _ldap_varsubst file |
|
52 |
+function _ldap_varsubst() { |
|
53 |
+ local infile=$1 |
|
54 |
+ sed -e " |
|
55 |
+ s|\${LDAP_OLCDB_NUMBER}|$LDAP_OLCDB_NUMBER| |
|
56 |
+ s|\${SLAPPASS}|$SLAPPASS| |
|
57 |
+ s|\${LDAP_ROOTPW_COMMAND}|$LDAP_ROOTPW_COMMAND| |
|
58 |
+ s|\${BASE_DC}|$LDAP_BASE_DC| |
|
59 |
+ s|\${BASE_DN}|$LDAP_BASE_DN| |
|
60 |
+ s|\${MANAGER_DN}|$LDAP_MANAGER_DN| |
|
61 |
+ " $infile |
|
62 |
+} |
|
63 |
+ |
|
64 |
+# clean_ldap() - Remove ldap server |
|
65 |
+function cleanup_ldap() { |
|
66 |
+ uninstall_package $(get_packages ldap) |
|
67 |
+ if is_ubuntu; then |
|
68 |
+ uninstall_package slapd ldap-utils libslp1 |
|
69 |
+ sudo rm -rf /etc/ldap/ldap.conf /var/lib/ldap |
|
70 |
+ elif is_fedora; then |
|
71 |
+ sudo rm -rf /etc/openldap /var/lib/ldap |
|
72 |
+ elif is_suse; then |
|
73 |
+ sudo rm -rf /var/lib/ldap |
|
74 |
+ fi |
|
75 |
+} |
|
76 |
+ |
|
77 |
+# init_ldap |
|
78 |
+# init_ldap() - Initialize databases, etc. |
|
79 |
+function init_ldap() { |
|
80 |
+ local keystone_ldif |
|
81 |
+ |
|
82 |
+ TMP_LDAP_DIR=$(mktemp -d -t ldap.$$.XXXXXXXXXX) |
|
83 |
+ |
|
84 |
+ # Remove data but not schemas |
|
85 |
+ clear_ldap_state |
|
86 |
+ |
|
87 |
+ # Add our top level ldap nodes |
|
88 |
+ if ldapsearch -x -w $LDAP_PASSWORD -D "$LDAP_MANAGER_DN" -H $LDAP_URL -b "$LDAP_BASE_DN" | grep -q "Success"; then |
|
89 |
+ printf "LDAP already configured for $LDAP_BASE_DC\n" |
|
90 |
+ else |
|
91 |
+ printf "Configuring LDAP for $LDAP_BASE_DC\n" |
|
92 |
+ # If BASE_DN is changed, the user may override the default file |
|
93 |
+ if [[ -r $FILES/ldap/${LDAP_BASE_DC}.ldif.in ]]; then |
|
94 |
+ keystone_ldif=${LDAP_BASE_DC}.ldif |
|
95 |
+ else |
|
96 |
+ keystone_ldif=keystone.ldif |
|
97 |
+ fi |
|
98 |
+ _ldap_varsubst $FILES/ldap/${keystone_ldif}.in >$TMP_LDAP_DIR/${keystone_ldif} |
|
99 |
+ if [[ -r $TMP_LDAP_DIR/${keystone_ldif} ]]; then |
|
100 |
+ ldapadd -x -w $LDAP_PASSWORD -D "$LDAP_MANAGER_DN" -H $LDAP_URL -c -f $TMP_LDAP_DIR/${keystone_ldif} |
|
101 |
+ fi |
|
102 |
+ fi |
|
103 |
+ |
|
104 |
+ rm -rf TMP_LDAP_DIR |
|
105 |
+} |
|
106 |
+ |
|
17 | 107 |
# install_ldap |
18 | 108 |
# install_ldap() - Collect source and prepare |
19 | 109 |
function install_ldap() { |
20 | 110 |
echo "Installing LDAP inside function" |
21 |
- echo "LDAP_PASSWORD is $LDAP_PASSWORD" |
|
22 | 111 |
echo "os_VENDOR is $os_VENDOR" |
23 |
- printf "installing" |
|
112 |
+ |
|
113 |
+ TMP_LDAP_DIR=$(mktemp -d -t ldap.$$.XXXXXXXXXX) |
|
114 |
+ |
|
115 |
+ printf "installing OpenLDAP" |
|
24 | 116 |
if is_ubuntu; then |
25 |
- LDAP_OLCDB_NUMBER=1 |
|
26 |
- LDAP_ROOTPW_COMMAND=replace |
|
27 |
- sudo DEBIAN_FRONTEND=noninteractive apt-get install slapd ldap-utils |
|
28 |
- #automatically starts LDAP on ubuntu so no need to call start_ldap |
|
117 |
+ # Ubuntu automatically starts LDAP so no need to call start_ldap() |
|
118 |
+ : |
|
29 | 119 |
elif is_fedora; then |
30 |
- LDAP_OLCDB_NUMBER=2 |
|
31 |
- LDAP_ROOTPW_COMMAND=add |
|
32 | 120 |
start_ldap |
33 | 121 |
elif is_suse; then |
34 |
- LDAP_OLCDB_NUMBER=1 |
|
35 |
- LDAP_ROOTPW_COMMAND=add |
|
36 |
- LDAP_SERVICE_NAME=ldap |
|
37 |
- # SUSE has slappasswd in /usr/sbin/ |
|
38 |
- PATH=$PATH:/usr/sbin/ |
|
39 |
- sudo slapadd -F /etc/openldap/slapd.d/ -bcn=config -l $FILES/ldap/base-config.ldif |
|
122 |
+ _ldap_varsubst $FILES/ldap/suse-base-config.ldif.in >$TMP_LDAP_DIR/suse-base-config.ldif |
|
123 |
+ sudo slapadd -F /etc/openldap/slapd.d/ -bcn=config -l $TMP_LDAP_DIR/suse-base-config.ldif |
|
40 | 124 |
sudo sed -i '/^OPENLDAP_START_LDAPI=/s/"no"/"yes"/g' /etc/sysconfig/openldap |
41 | 125 |
start_ldap |
42 | 126 |
fi |
43 | 127 |
|
44 |
- printf "generate password file" |
|
45 |
- SLAPPASS=`slappasswd -s $LDAP_PASSWORD` |
|
46 |
- |
|
47 |
- printf "secret is $SLAPPASS\n" |
|
48 |
- #create manager.ldif |
|
49 |
- TMP_MGR_DIFF_FILE=`mktemp -t manager_ldiff.$$.XXXXXXXXXX.ldif` |
|
50 |
- sed -e "s|\${LDAP_OLCDB_NUMBER}|$LDAP_OLCDB_NUMBER|" -e "s|\${SLAPPASS}|$SLAPPASS|" -e "s|\${LDAP_ROOTPW_COMMAND}|$LDAP_ROOTPW_COMMAND|" $FILES/ldap/manager.ldif.in >> $TMP_MGR_DIFF_FILE |
|
128 |
+ echo "LDAP_PASSWORD is $LDAP_PASSWORD" |
|
129 |
+ SLAPPASS=$(slappasswd -s $LDAP_PASSWORD) |
|
130 |
+ printf "LDAP secret is $SLAPPASS\n" |
|
51 | 131 |
|
52 |
- #update ldap olcdb |
|
53 |
- sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f $TMP_MGR_DIFF_FILE |
|
132 |
+ # Create manager.ldif and add to olcdb |
|
133 |
+ _ldap_varsubst $FILES/ldap/manager.ldif.in >$TMP_LDAP_DIR/manager.ldif |
|
134 |
+ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f $TMP_LDAP_DIR/manager.ldif |
|
54 | 135 |
|
55 | 136 |
# On fedora we need to manually add cosine and inetorgperson schemas |
56 |
- if is_fedora || is_suse; then |
|
137 |
+ if is_fedora; then |
|
57 | 138 |
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif |
58 | 139 |
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif |
59 | 140 |
fi |
60 | 141 |
|
61 |
- # add our top level ldap nodes |
|
62 |
- if ldapsearch -x -w $LDAP_PASSWORD -H ldap://localhost -D dc=Manager,dc=openstack,dc=org -x -b dc=openstack,dc=org | grep -q "Success"; then |
|
63 |
- printf "LDAP already configured for OpenStack\n" |
|
64 |
- if [[ "$KEYSTONE_CLEAR_LDAP" == "yes" ]]; then |
|
65 |
- # clear LDAP state |
|
66 |
- clear_ldap_state |
|
67 |
- # reconfigure LDAP for OpenStack |
|
68 |
- ldapadd -c -x -H ldap://localhost -D dc=Manager,dc=openstack,dc=org -w $LDAP_PASSWORD -f $FILES/ldap/openstack.ldif |
|
69 |
- fi |
|
70 |
- else |
|
71 |
- printf "Configuring LDAP for OpenStack\n" |
|
72 |
- ldapadd -c -x -H ldap://localhost -D dc=Manager,dc=openstack,dc=org -w $LDAP_PASSWORD -f $FILES/ldap/openstack.ldif |
|
73 |
- fi |
|
142 |
+ rm -rf TMP_LDAP_DIR |
|
74 | 143 |
} |
75 | 144 |
|
76 | 145 |
# start_ldap() - Start LDAP |
... | ... |
@@ -78,7 +147,6 @@ function start_ldap() { |
78 | 78 |
sudo service $LDAP_SERVICE_NAME restart |
79 | 79 |
} |
80 | 80 |
|
81 |
- |
|
82 | 81 |
# stop_ldap() - Stop LDAP |
83 | 82 |
function stop_ldap() { |
84 | 83 |
sudo service $LDAP_SERVICE_NAME stop |
... | ... |
@@ -86,7 +154,7 @@ function stop_ldap() { |
86 | 86 |
|
87 | 87 |
# clear_ldap_state() - Clear LDAP State |
88 | 88 |
function clear_ldap_state() { |
89 |
- ldapdelete -x -w $LDAP_PASSWORD -H ldap://localhost -D dc=Manager,dc=openstack,dc=org -x -r "dc=openstack,dc=org" |
|
89 |
+ ldapdelete -x -w $LDAP_PASSWORD -D "$LDAP_MANAGER_DN" -H $LDAP_URL -r "$LDAP_BASE_DN" |
|
90 | 90 |
} |
91 | 91 |
|
92 | 92 |
# Restore xtrace |