Browse code
Fixes devstack ldap plugin
When the ldap service is enable on local.conf devstack ldap
plugin starts slapd service using its default config on Ubuntu
and installs ldap-utils package.
Enables domain specific drivers on Keystone and creates LDAP
domain 'Users' with a demo user.
Change-Id: I8d7aa260b01f675e4ed201ef93bfd66474f4b228
Leticia Wanderley authored on 2017/06/27 11:52:52Showing 4 changed files
| 1 | 1 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,23 @@ |
| 0 |
+# Licensed under the Apache License, Version 2.0 (the "License"); you may |
|
| 1 |
+# not use this file except in compliance with the License. You may obtain |
|
| 2 |
+# a copy of the License at |
|
| 3 |
+# |
|
| 4 |
+# http://www.apache.org/licenses/LICENSE-2.0 |
|
| 5 |
+# |
|
| 6 |
+# Unless required by applicable law or agreed to in writing, software |
|
| 7 |
+# distributed under the License is distributed on an "AS IS" BASIS, |
|
| 8 |
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or |
|
| 9 |
+# implied. See the License for the specific language governing |
|
| 10 |
+# permissions and limitations under the License. |
|
| 11 |
+ |
|
| 12 |
+# Demo LDAP user |
|
| 13 |
+dn: cn=demo,ou=Users,${BASE_DN}
|
|
| 14 |
+cn: demo |
|
| 15 |
+displayName: demo |
|
| 16 |
+givenName: demo |
|
| 17 |
+mail: demo@openstack.org |
|
| 18 |
+objectClass: inetOrgPerson |
|
| 19 |
+objectClass: top |
|
| 20 |
+sn: demo |
|
| 21 |
+uid: demo |
|
| 22 |
+userPassword: demo |
| ... | ... |
@@ -106,6 +106,10 @@ function configure_horizon {
|
| 106 | 106 |
_horizon_config_set $local_settings "" OPENSTACK_SSL_CACERT \"${SSL_BUNDLE_FILE}\"
|
| 107 | 107 |
fi |
| 108 | 108 |
|
| 109 |
+ if is_service_enabled ldap; then |
|
| 110 |
+ _horizon_config_set $local_settings "" OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT "True" |
|
| 111 |
+ fi |
|
| 112 |
+ |
|
| 109 | 113 |
# Create an empty directory that apache uses as docroot |
| 110 | 114 |
sudo mkdir -p $HORIZON_DIR/.blackhole |
| 111 | 115 |
|
| ... | ... |
@@ -219,17 +219,10 @@ function configure_keystone {
|
| 219 | 219 |
fi |
| 220 | 220 |
|
| 221 | 221 |
# Rewrite stock ``keystone.conf`` |
| 222 |
- |
|
| 223 | 222 |
if is_service_enabled ldap; then |
| 224 |
- #Set all needed ldap values |
|
| 225 |
- iniset $KEYSTONE_CONF ldap password $LDAP_PASSWORD |
|
| 226 |
- iniset $KEYSTONE_CONF ldap user $LDAP_MANAGER_DN |
|
| 227 |
- iniset $KEYSTONE_CONF ldap suffix $LDAP_BASE_DN |
|
| 228 |
- iniset $KEYSTONE_CONF ldap user_tree_dn "ou=Users,$LDAP_BASE_DN" |
|
| 229 |
- iniset $KEYSTONE_CONF DEFAULT member_role_id "9fe2ff9ee4384b1894a90878d3e92bab" |
|
| 230 |
- iniset $KEYSTONE_CONF DEFAULT member_role_name "_member_" |
|
| 223 |
+ iniset $KEYSTONE_CONF identity domain_config_dir "$KEYSTONE_CONF_DIR/domains" |
|
| 224 |
+ iniset $KEYSTONE_CONF identity domain_specific_drivers_enabled "True" |
|
| 231 | 225 |
fi |
| 232 |
- |
|
| 233 | 226 |
iniset $KEYSTONE_CONF identity driver "$KEYSTONE_IDENTITY_BACKEND" |
| 234 | 227 |
iniset $KEYSTONE_CONF identity password_hash_rounds $KEYSTONE_PASSWORD_HASH_ROUNDS |
| 235 | 228 |
iniset $KEYSTONE_CONF assignment driver "$KEYSTONE_ASSIGNMENT_BACKEND" |
| ... | ... |
@@ -410,6 +403,10 @@ function create_keystone_accounts {
|
| 410 | 410 |
get_or_add_group_project_role $member_role $non_admin_group $alt_demo_project |
| 411 | 411 |
get_or_add_group_project_role $another_role $non_admin_group $alt_demo_project |
| 412 | 412 |
get_or_add_group_project_role $admin_role $admin_group $admin_project |
| 413 |
+ |
|
| 414 |
+ if is_service_enabled ldap; then |
|
| 415 |
+ create_ldap_domain |
|
| 416 |
+ fi |
|
| 413 | 417 |
} |
| 414 | 418 |
|
| 415 | 419 |
# Create a user that is capable of verifying keystone tokens for use with auth_token middleware. |
| ... | ... |
@@ -615,6 +612,63 @@ function bootstrap_keystone {
|
| 615 | 615 |
--bootstrap-public-url "$KEYSTONE_SERVICE_URI" |
| 616 | 616 |
} |
| 617 | 617 |
|
| 618 |
+# create_ldap_domain() - Create domain file and initialize domain with a user |
|
| 619 |
+function create_ldap_domain {
|
|
| 620 |
+ # Creates domain Users |
|
| 621 |
+ openstack --os-identity-api-version=3 domain create --description "LDAP domain" Users |
|
| 622 |
+ |
|
| 623 |
+ # Create domain file inside etc/keystone/domains |
|
| 624 |
+ KEYSTONE_LDAP_DOMAIN_FILE=$KEYSTONE_CONF_DIR/domains/keystone.Users.conf |
|
| 625 |
+ mkdir -p "$KEYSTONE_CONF_DIR/domains" |
|
| 626 |
+ touch "$KEYSTONE_LDAP_DOMAIN_FILE" |
|
| 627 |
+ |
|
| 628 |
+ # Set identity driver 'ldap' |
|
| 629 |
+ iniset $KEYSTONE_LDAP_DOMAIN_FILE identity driver "ldap" |
|
| 630 |
+ |
|
| 631 |
+ # LDAP settings for Users domain |
|
| 632 |
+ iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap group_allow_delete "False" |
|
| 633 |
+ iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap group_allow_update "False" |
|
| 634 |
+ iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap group_allow_create "False" |
|
| 635 |
+ iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap user_allow_delete "False" |
|
| 636 |
+ iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap user_allow_update "False" |
|
| 637 |
+ iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap user_allow_create "False" |
|
| 638 |
+ iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap user_tree_dn "ou=Users,$LDAP_BASE_DN" |
|
| 639 |
+ iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap user_objectclass "inetOrgPerson" |
|
| 640 |
+ iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap user_name_attribute "cn" |
|
| 641 |
+ iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap user_mail_attribute "mail" |
|
| 642 |
+ iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap user_id_attribute "uid" |
|
| 643 |
+ iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap user "cn=Manager,dc=openstack,dc=org" |
|
| 644 |
+ iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap url "ldap://localhost" |
|
| 645 |
+ iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap suffix $LDAP_BASE_DN |
|
| 646 |
+ iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap password $LDAP_PASSWORD |
|
| 647 |
+ iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap group_tree_dn "ou=Groups,$LDAP_BASE_DN" |
|
| 648 |
+ iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap group_objectclass "groupOfNames" |
|
| 649 |
+ iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap group_name_attribute "cn" |
|
| 650 |
+ iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap group_id_attribute "cn" |
|
| 651 |
+ |
|
| 652 |
+ # Restart apache and identity services to associate domain and conf file |
|
| 653 |
+ sudo service apache2 reload |
|
| 654 |
+ sudo systemctl restart devstack@keystone |
|
| 655 |
+ |
|
| 656 |
+ # Create LDAP user.ldif and add user to LDAP backend |
|
| 657 |
+ local tmp_ldap_dir |
|
| 658 |
+ tmp_ldap_dir=$(mktemp -d -t ldap.$$.XXXXXXXXXX) |
|
| 659 |
+ |
|
| 660 |
+ _ldap_varsubst $FILES/ldap/user.ldif.in $slappass >$tmp_ldap_dir/user.ldif |
|
| 661 |
+ sudo ldapadd -x -w $LDAP_PASSWORD -D "$LDAP_MANAGER_DN" -H $LDAP_URL -c -f $tmp_ldap_dir/user.ldif |
|
| 662 |
+ rm -rf $tmp_ldap_dir |
|
| 663 |
+ |
|
| 664 |
+ local admin_project |
|
| 665 |
+ admin_project=$(get_or_create_project "admin" default) |
|
| 666 |
+ local ldap_user |
|
| 667 |
+ ldap_user=$(openstack user show --domain=Users demo -f value -c id) |
|
| 668 |
+ local admin_role="admin" |
|
| 669 |
+ get_or_create_role $admin_role |
|
| 670 |
+ |
|
| 671 |
+ # Grant demo LDAP user access to project and role |
|
| 672 |
+ get_or_add_user_project_role $admin_role $ldap_user $admin_project |
|
| 673 |
+} |
|
| 674 |
+ |
|
| 618 | 675 |
# Restore xtrace |
| 619 | 676 |
$_XTRACE_KEYSTONE |
| 620 | 677 |
|
| ... | ... |
@@ -119,8 +119,7 @@ function install_ldap {
|
| 119 | 119 |
|
| 120 | 120 |
printf "installing OpenLDAP" |
| 121 | 121 |
if is_ubuntu; then |
| 122 |
- # Ubuntu automatically starts LDAP so no need to call start_ldap() |
|
| 123 |
- : |
|
| 122 |
+ configure_ldap |
|
| 124 | 123 |
elif is_fedora; then |
| 125 | 124 |
start_ldap |
| 126 | 125 |
elif is_suse; then |
| ... | ... |
@@ -148,6 +147,27 @@ function install_ldap {
|
| 148 | 148 |
rm -rf $tmp_ldap_dir |
| 149 | 149 |
} |
| 150 | 150 |
|
| 151 |
+# configure_ldap() - Configure LDAP - reconfigure slapd |
|
| 152 |
+function configure_ldap {
|
|
| 153 |
+ sudo debconf-set-selections <<EOF |
|
| 154 |
+ slapd slapd/internal/generated_adminpw password $LDAP_PASSWORD |
|
| 155 |
+ slapd slapd/internal/adminpw password $LDAP_PASSWORD |
|
| 156 |
+ slapd slapd/password2 password $LDAP_PASSWORD |
|
| 157 |
+ slapd slapd/password1 password $LDAP_PASSWORD |
|
| 158 |
+ slapd slapd/dump_database_destdir string /var/backups/slapd-VERSION |
|
| 159 |
+ slapd slapd/domain string Users |
|
| 160 |
+ slapd shared/organization string $LDAP_DOMAIN |
|
| 161 |
+ slapd slapd/backend string HDB |
|
| 162 |
+ slapd slapd/purge_database boolean true |
|
| 163 |
+ slapd slapd/move_old_database boolean true |
|
| 164 |
+ slapd slapd/allow_ldap_v2 boolean false |
|
| 165 |
+ slapd slapd/no_configuration boolean false |
|
| 166 |
+ slapd slapd/dump_database select when needed |
|
| 167 |
+EOF |
|
| 168 |
+ sudo apt-get install -y slapd ldap-utils |
|
| 169 |
+ sudo dpkg-reconfigure -f noninteractive $LDAP_SERVICE_NAME |
|
| 170 |
+} |
|
| 171 |
+ |
|
| 151 | 172 |
# start_ldap() - Start LDAP |
| 152 | 173 |
function start_ldap {
|
| 153 | 174 |
sudo service $LDAP_SERVICE_NAME restart |