When the ldap service is enable on local.conf devstack ldap
plugin starts slapd service using its default config on Ubuntu
and installs ldap-utils package.
Enables domain specific drivers on Keystone and creates LDAP
domain 'Users' with a demo user.
Change-Id: I8d7aa260b01f675e4ed201ef93bfd66474f4b228
1 | 1 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,23 @@ |
0 |
+# Licensed under the Apache License, Version 2.0 (the "License"); you may |
|
1 |
+# not use this file except in compliance with the License. You may obtain |
|
2 |
+# a copy of the License at |
|
3 |
+# |
|
4 |
+# http://www.apache.org/licenses/LICENSE-2.0 |
|
5 |
+# |
|
6 |
+# Unless required by applicable law or agreed to in writing, software |
|
7 |
+# distributed under the License is distributed on an "AS IS" BASIS, |
|
8 |
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or |
|
9 |
+# implied. See the License for the specific language governing |
|
10 |
+# permissions and limitations under the License. |
|
11 |
+ |
|
12 |
+# Demo LDAP user |
|
13 |
+dn: cn=demo,ou=Users,${BASE_DN} |
|
14 |
+cn: demo |
|
15 |
+displayName: demo |
|
16 |
+givenName: demo |
|
17 |
+mail: demo@openstack.org |
|
18 |
+objectClass: inetOrgPerson |
|
19 |
+objectClass: top |
|
20 |
+sn: demo |
|
21 |
+uid: demo |
|
22 |
+userPassword: demo |
... | ... |
@@ -106,6 +106,10 @@ function configure_horizon { |
106 | 106 |
_horizon_config_set $local_settings "" OPENSTACK_SSL_CACERT \"${SSL_BUNDLE_FILE}\" |
107 | 107 |
fi |
108 | 108 |
|
109 |
+ if is_service_enabled ldap; then |
|
110 |
+ _horizon_config_set $local_settings "" OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT "True" |
|
111 |
+ fi |
|
112 |
+ |
|
109 | 113 |
# Create an empty directory that apache uses as docroot |
110 | 114 |
sudo mkdir -p $HORIZON_DIR/.blackhole |
111 | 115 |
|
... | ... |
@@ -219,17 +219,10 @@ function configure_keystone { |
219 | 219 |
fi |
220 | 220 |
|
221 | 221 |
# Rewrite stock ``keystone.conf`` |
222 |
- |
|
223 | 222 |
if is_service_enabled ldap; then |
224 |
- #Set all needed ldap values |
|
225 |
- iniset $KEYSTONE_CONF ldap password $LDAP_PASSWORD |
|
226 |
- iniset $KEYSTONE_CONF ldap user $LDAP_MANAGER_DN |
|
227 |
- iniset $KEYSTONE_CONF ldap suffix $LDAP_BASE_DN |
|
228 |
- iniset $KEYSTONE_CONF ldap user_tree_dn "ou=Users,$LDAP_BASE_DN" |
|
229 |
- iniset $KEYSTONE_CONF DEFAULT member_role_id "9fe2ff9ee4384b1894a90878d3e92bab" |
|
230 |
- iniset $KEYSTONE_CONF DEFAULT member_role_name "_member_" |
|
223 |
+ iniset $KEYSTONE_CONF identity domain_config_dir "$KEYSTONE_CONF_DIR/domains" |
|
224 |
+ iniset $KEYSTONE_CONF identity domain_specific_drivers_enabled "True" |
|
231 | 225 |
fi |
232 |
- |
|
233 | 226 |
iniset $KEYSTONE_CONF identity driver "$KEYSTONE_IDENTITY_BACKEND" |
234 | 227 |
iniset $KEYSTONE_CONF identity password_hash_rounds $KEYSTONE_PASSWORD_HASH_ROUNDS |
235 | 228 |
iniset $KEYSTONE_CONF assignment driver "$KEYSTONE_ASSIGNMENT_BACKEND" |
... | ... |
@@ -410,6 +403,10 @@ function create_keystone_accounts { |
410 | 410 |
get_or_add_group_project_role $member_role $non_admin_group $alt_demo_project |
411 | 411 |
get_or_add_group_project_role $another_role $non_admin_group $alt_demo_project |
412 | 412 |
get_or_add_group_project_role $admin_role $admin_group $admin_project |
413 |
+ |
|
414 |
+ if is_service_enabled ldap; then |
|
415 |
+ create_ldap_domain |
|
416 |
+ fi |
|
413 | 417 |
} |
414 | 418 |
|
415 | 419 |
# Create a user that is capable of verifying keystone tokens for use with auth_token middleware. |
... | ... |
@@ -615,6 +612,63 @@ function bootstrap_keystone { |
615 | 615 |
--bootstrap-public-url "$KEYSTONE_SERVICE_URI" |
616 | 616 |
} |
617 | 617 |
|
618 |
+# create_ldap_domain() - Create domain file and initialize domain with a user |
|
619 |
+function create_ldap_domain { |
|
620 |
+ # Creates domain Users |
|
621 |
+ openstack --os-identity-api-version=3 domain create --description "LDAP domain" Users |
|
622 |
+ |
|
623 |
+ # Create domain file inside etc/keystone/domains |
|
624 |
+ KEYSTONE_LDAP_DOMAIN_FILE=$KEYSTONE_CONF_DIR/domains/keystone.Users.conf |
|
625 |
+ mkdir -p "$KEYSTONE_CONF_DIR/domains" |
|
626 |
+ touch "$KEYSTONE_LDAP_DOMAIN_FILE" |
|
627 |
+ |
|
628 |
+ # Set identity driver 'ldap' |
|
629 |
+ iniset $KEYSTONE_LDAP_DOMAIN_FILE identity driver "ldap" |
|
630 |
+ |
|
631 |
+ # LDAP settings for Users domain |
|
632 |
+ iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap group_allow_delete "False" |
|
633 |
+ iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap group_allow_update "False" |
|
634 |
+ iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap group_allow_create "False" |
|
635 |
+ iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap user_allow_delete "False" |
|
636 |
+ iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap user_allow_update "False" |
|
637 |
+ iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap user_allow_create "False" |
|
638 |
+ iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap user_tree_dn "ou=Users,$LDAP_BASE_DN" |
|
639 |
+ iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap user_objectclass "inetOrgPerson" |
|
640 |
+ iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap user_name_attribute "cn" |
|
641 |
+ iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap user_mail_attribute "mail" |
|
642 |
+ iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap user_id_attribute "uid" |
|
643 |
+ iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap user "cn=Manager,dc=openstack,dc=org" |
|
644 |
+ iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap url "ldap://localhost" |
|
645 |
+ iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap suffix $LDAP_BASE_DN |
|
646 |
+ iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap password $LDAP_PASSWORD |
|
647 |
+ iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap group_tree_dn "ou=Groups,$LDAP_BASE_DN" |
|
648 |
+ iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap group_objectclass "groupOfNames" |
|
649 |
+ iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap group_name_attribute "cn" |
|
650 |
+ iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap group_id_attribute "cn" |
|
651 |
+ |
|
652 |
+ # Restart apache and identity services to associate domain and conf file |
|
653 |
+ sudo service apache2 reload |
|
654 |
+ sudo systemctl restart devstack@keystone |
|
655 |
+ |
|
656 |
+ # Create LDAP user.ldif and add user to LDAP backend |
|
657 |
+ local tmp_ldap_dir |
|
658 |
+ tmp_ldap_dir=$(mktemp -d -t ldap.$$.XXXXXXXXXX) |
|
659 |
+ |
|
660 |
+ _ldap_varsubst $FILES/ldap/user.ldif.in $slappass >$tmp_ldap_dir/user.ldif |
|
661 |
+ sudo ldapadd -x -w $LDAP_PASSWORD -D "$LDAP_MANAGER_DN" -H $LDAP_URL -c -f $tmp_ldap_dir/user.ldif |
|
662 |
+ rm -rf $tmp_ldap_dir |
|
663 |
+ |
|
664 |
+ local admin_project |
|
665 |
+ admin_project=$(get_or_create_project "admin" default) |
|
666 |
+ local ldap_user |
|
667 |
+ ldap_user=$(openstack user show --domain=Users demo -f value -c id) |
|
668 |
+ local admin_role="admin" |
|
669 |
+ get_or_create_role $admin_role |
|
670 |
+ |
|
671 |
+ # Grant demo LDAP user access to project and role |
|
672 |
+ get_or_add_user_project_role $admin_role $ldap_user $admin_project |
|
673 |
+} |
|
674 |
+ |
|
618 | 675 |
# Restore xtrace |
619 | 676 |
$_XTRACE_KEYSTONE |
620 | 677 |
|
... | ... |
@@ -119,8 +119,7 @@ function install_ldap { |
119 | 119 |
|
120 | 120 |
printf "installing OpenLDAP" |
121 | 121 |
if is_ubuntu; then |
122 |
- # Ubuntu automatically starts LDAP so no need to call start_ldap() |
|
123 |
- : |
|
122 |
+ configure_ldap |
|
124 | 123 |
elif is_fedora; then |
125 | 124 |
start_ldap |
126 | 125 |
elif is_suse; then |
... | ... |
@@ -148,6 +147,27 @@ function install_ldap { |
148 | 148 |
rm -rf $tmp_ldap_dir |
149 | 149 |
} |
150 | 150 |
|
151 |
+# configure_ldap() - Configure LDAP - reconfigure slapd |
|
152 |
+function configure_ldap { |
|
153 |
+ sudo debconf-set-selections <<EOF |
|
154 |
+ slapd slapd/internal/generated_adminpw password $LDAP_PASSWORD |
|
155 |
+ slapd slapd/internal/adminpw password $LDAP_PASSWORD |
|
156 |
+ slapd slapd/password2 password $LDAP_PASSWORD |
|
157 |
+ slapd slapd/password1 password $LDAP_PASSWORD |
|
158 |
+ slapd slapd/dump_database_destdir string /var/backups/slapd-VERSION |
|
159 |
+ slapd slapd/domain string Users |
|
160 |
+ slapd shared/organization string $LDAP_DOMAIN |
|
161 |
+ slapd slapd/backend string HDB |
|
162 |
+ slapd slapd/purge_database boolean true |
|
163 |
+ slapd slapd/move_old_database boolean true |
|
164 |
+ slapd slapd/allow_ldap_v2 boolean false |
|
165 |
+ slapd slapd/no_configuration boolean false |
|
166 |
+ slapd slapd/dump_database select when needed |
|
167 |
+EOF |
|
168 |
+ sudo apt-get install -y slapd ldap-utils |
|
169 |
+ sudo dpkg-reconfigure -f noninteractive $LDAP_SERVICE_NAME |
|
170 |
+} |
|
171 |
+ |
|
151 | 172 |
# start_ldap() - Start LDAP |
152 | 173 |
function start_ldap { |
153 | 174 |
sudo service $LDAP_SERVICE_NAME restart |