Browse code
Add optional silent install and config of ldap to devstack
Edited initial ldap entries and olcdb template file as recommended by Brant.
Change-Id: I1404cc5c754f878e32a2d10254840d092211e6e6
Brad Topol authored on 2013/01/23 01:17:50Showing 7 changed files
- files/apts/ldap
- files/ldap/manager.ldif.in
- files/ldap/openstack.ldif
- files/rpms/ldap
- lib/keystone
- lib/ldap
- stack.sh
| 0 | 3 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,10 @@ |
| 0 |
+dn: olcDatabase={${LDAP_OLCDB_NUMBER}}hdb,cn=config
|
|
| 1 |
+changetype: modify |
|
| 2 |
+replace: olcSuffix |
|
| 3 |
+olcSuffix: dc=openstack,dc=org |
|
| 4 |
+- |
|
| 5 |
+replace: olcRootDN |
|
| 6 |
+olcRootDN: dc=Manager,dc=openstack,dc=org |
|
| 7 |
+- |
|
| 8 |
+${LDAP_ROOTPW_COMMAND}: olcRootPW
|
|
| 9 |
+olcRootPW: ${SLAPPASS}
|
| 0 | 10 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,21 @@ |
| 0 |
+dn: dc=openstack,dc=org |
|
| 1 |
+dc: openstack |
|
| 2 |
+objectClass: dcObject |
|
| 3 |
+objectClass: organizationalUnit |
|
| 4 |
+ou: openstack |
|
| 5 |
+ |
|
| 6 |
+dn: ou=Groups,dc=openstack,dc=org |
|
| 7 |
+objectClass: organizationalUnit |
|
| 8 |
+ou: Groups |
|
| 9 |
+ |
|
| 10 |
+dn: ou=Users,dc=openstack,dc=org |
|
| 11 |
+objectClass: organizationalUnit |
|
| 12 |
+ou: Users |
|
| 13 |
+ |
|
| 14 |
+dn: ou=Roles,dc=openstack,dc=org |
|
| 15 |
+objectClass: organizationalUnit |
|
| 16 |
+ou: Roles |
|
| 17 |
+ |
|
| 18 |
+dn: ou=Projects,dc=openstack,dc=org |
|
| 19 |
+objectClass: organizationalUnit |
|
| 20 |
+ou: Projects |
| ... | ... |
@@ -94,6 +94,17 @@ function configure_keystone() {
|
| 94 | 94 |
local dburl |
| 95 | 95 |
database_connection_url dburl keystone |
| 96 | 96 |
|
| 97 |
+ if is_service_enabled ldap; then |
|
| 98 |
+ #Set all needed ldap values |
|
| 99 |
+ iniset $KEYSTONE_CONF ldap password $LDAP_PASSWORD |
|
| 100 |
+ iniset $KEYSTONE_CONF ldap user "dc=Manager,dc=openstack,dc=org" |
|
| 101 |
+ iniset $KEYSTONE_CONF ldap suffix "dc=openstack,dc=org" |
|
| 102 |
+ fi |
|
| 103 |
+ |
|
| 104 |
+ if [[ "$KEYSTONE_IDENTITY_BACKEND" == "ldap" ]]; then |
|
| 105 |
+ iniset $KEYSTONE_CONF identity driver "keystone.identity.backends.ldap.Identity" |
|
| 106 |
+ fi |
|
| 107 |
+ |
|
| 97 | 108 |
if is_service_enabled tls-proxy; then |
| 98 | 109 |
# Set the service ports for a proxy to take the originals |
| 99 | 110 |
iniset $KEYSTONE_CONF DEFAULT public_port $KEYSTONE_SERVICE_PORT_INT |
| ... | ... |
@@ -283,6 +294,10 @@ function install_keystoneclient() {
|
| 283 | 283 |
|
| 284 | 284 |
# install_keystone() - Collect source and prepare |
| 285 | 285 |
function install_keystone() {
|
| 286 |
+ # only install ldap if the service has been enabled |
|
| 287 |
+ if is_service_enabled ldap; then |
|
| 288 |
+ install_ldap |
|
| 289 |
+ fi |
|
| 286 | 290 |
git_clone $KEYSTONE_REPO $KEYSTONE_DIR $KEYSTONE_BRANCH |
| 287 | 291 |
} |
| 288 | 292 |
|
| 289 | 293 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,74 @@ |
| 0 |
+# lib/ldap |
|
| 1 |
+# Functions to control the installation and configuration of **ldap** |
|
| 2 |
+ |
|
| 3 |
+# ``stack.sh`` calls the entry points in this order: |
|
| 4 |
+# |
|
| 5 |
+ |
|
| 6 |
+# Save trace setting |
|
| 7 |
+XTRACE=$(set +o | grep xtrace) |
|
| 8 |
+set +o xtrace |
|
| 9 |
+ |
|
| 10 |
+# install_ldap |
|
| 11 |
+# install_ldap() - Collect source and prepare |
|
| 12 |
+function install_ldap() {
|
|
| 13 |
+ echo "Installing LDAP inside function" |
|
| 14 |
+ echo "LDAP_PASSWORD is $LDAP_PASSWORD" |
|
| 15 |
+ echo "os_VENDOR is $os_VENDOR" |
|
| 16 |
+ printf "installing" |
|
| 17 |
+ if is_ubuntu; then |
|
| 18 |
+ echo "os vendor is Ubuntu" |
|
| 19 |
+ LDAP_OLCDB_NUMBER=1 |
|
| 20 |
+ LDAP_ROOTPW_COMMAND=replace |
|
| 21 |
+ sudo DEBIAN_FRONTEND=noninteractive apt-get install slapd ldap-utils |
|
| 22 |
+ #automatically starts LDAP on ubuntu so no need to call start_ldap |
|
| 23 |
+ elif is_fedora; then |
|
| 24 |
+ echo "os vendor is Fedora" |
|
| 25 |
+ LDAP_OLCDB_NUMBER=2 |
|
| 26 |
+ LDAP_ROOTPW_COMMAND=add |
|
| 27 |
+ start_ldap |
|
| 28 |
+ fi |
|
| 29 |
+ |
|
| 30 |
+ printf "generate password file" |
|
| 31 |
+ SLAPPASS=`slappasswd -s $LDAP_PASSWORD` |
|
| 32 |
+ |
|
| 33 |
+ printf "secret is $SLAPPASS\n" |
|
| 34 |
+ #create manager.ldif |
|
| 35 |
+ TMP_MGR_DIFF_FILE=`mktemp -t manager_ldiff.$$.XXXXXXXXXX.ldif` |
|
| 36 |
+ sed -e "s|\${LDAP_OLCDB_NUMBER}|$LDAP_OLCDB_NUMBER|" -e "s|\${SLAPPASS}|$SLAPPASS|" -e "s|\${LDAP_ROOTPW_COMMAND}|$LDAP_ROOTPW_COMMAND|" $FILES/ldap/manager.ldif.in >> $TMP_MGR_DIFF_FILE
|
|
| 37 |
+ |
|
| 38 |
+ #update ldap olcdb |
|
| 39 |
+ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f $TMP_MGR_DIFF_FILE |
|
| 40 |
+ |
|
| 41 |
+ # add our top level ldap nodes |
|
| 42 |
+ if ldapsearch -x -w $LDAP_PASSWORD -H ldap://localhost -D dc=Manager,dc=openstack,dc=org -x -b dc=openstack,dc=org | grep -q "Success" ; then |
|
| 43 |
+ printf "LDAP already configured for OpenStack\n" |
|
| 44 |
+ if [[ "$KEYSTONE_CLEAR_LDAP" == "yes" ]]; then |
|
| 45 |
+ # clear LDAP state |
|
| 46 |
+ clear_ldap_state |
|
| 47 |
+ # reconfigure LDAP for OpenStack |
|
| 48 |
+ ldapadd -c -x -H ldap://localhost -D dc=Manager,dc=openstack,dc=org -w $LDAP_PASSWORD -f $FILES/ldap/openstack.ldif |
|
| 49 |
+ fi |
|
| 50 |
+ else |
|
| 51 |
+ printf "Configuring LDAP for OpenStack\n" |
|
| 52 |
+ ldapadd -c -x -H ldap://localhost -D dc=Manager,dc=openstack,dc=org -w $LDAP_PASSWORD -f $FILES/ldap/openstack.ldif |
|
| 53 |
+ fi |
|
| 54 |
+} |
|
| 55 |
+ |
|
| 56 |
+# start_ldap() - Start LDAP |
|
| 57 |
+function start_ldap() {
|
|
| 58 |
+ sudo service slapd restart |
|
| 59 |
+} |
|
| 60 |
+ |
|
| 61 |
+ |
|
| 62 |
+# stop_ldap() - Stop LDAP |
|
| 63 |
+function stop_ldap() {
|
|
| 64 |
+ sudo service slapd stop |
|
| 65 |
+} |
|
| 66 |
+ |
|
| 67 |
+# clear_ldap_state() - Clear LDAP State |
|
| 68 |
+function clear_ldap_state() {
|
|
| 69 |
+ ldapdelete -x -w $LDAP_PASSWORD -H ldap://localhost -D dc=Manager,dc=openstack,dc=org -x -r "dc=openstack,dc=org" |
|
| 70 |
+} |
|
| 71 |
+ |
|
| 72 |
+# Restore xtrace |
|
| 73 |
+$XTRACE |
| ... | ... |
@@ -306,6 +306,7 @@ source $TOP_DIR/lib/ceilometer |
| 306 | 306 |
source $TOP_DIR/lib/heat |
| 307 | 307 |
source $TOP_DIR/lib/quantum |
| 308 | 308 |
source $TOP_DIR/lib/baremetal |
| 309 |
+source $TOP_DIR/lib/ldap |
|
| 309 | 310 |
|
| 310 | 311 |
# Set the destination directories for OpenStack projects |
| 311 | 312 |
HORIZON_DIR=$DEST/horizon |
| ... | ... |
@@ -475,6 +476,20 @@ read_password SERVICE_TOKEN "ENTER A SERVICE_TOKEN TO USE FOR THE SERVICE ADMIN |
| 475 | 475 |
read_password SERVICE_PASSWORD "ENTER A SERVICE_PASSWORD TO USE FOR THE SERVICE AUTHENTICATION." |
| 476 | 476 |
# Horizon currently truncates usernames and passwords at 20 characters |
| 477 | 477 |
read_password ADMIN_PASSWORD "ENTER A PASSWORD TO USE FOR HORIZON AND KEYSTONE (20 CHARS OR LESS)." |
| 478 |
+# Keystone can now optionally install OpenLDAP by adding ldap to the list |
|
| 479 |
+# of enabled services in the localrc file (e.g. ENABLED_SERVICES=key,ldap). |
|
| 480 |
+# If OpenLDAP has already been installed but you need to clear out |
|
| 481 |
+# the Keystone contents of LDAP set KEYSTONE_CLEAR_LDAP to yes |
|
| 482 |
+# (e.g. KEYSTONE_CLEAR_LDAP=yes ) in the localrc file. To enable the |
|
| 483 |
+# Keystone Identity Driver (keystone.identity.backends.ldap.Identity) |
|
| 484 |
+# set KEYSTONE_IDENTITY_BACKEND to ldap (e.g. KEYSTONE_IDENTITY_BACKEND=ldap) |
|
| 485 |
+# in the localrc file. |
|
| 486 |
+ |
|
| 487 |
+ |
|
| 488 |
+# only request ldap password if the service is enabled |
|
| 489 |
+if is_service_enabled ldap; then |
|
| 490 |
+ read_password LDAP_PASSWORD "ENTER A PASSWORD TO USE FOR LDAP" |
|
| 491 |
+fi |
|
| 478 | 492 |
|
| 479 | 493 |
# Set the tenant for service accounts in Keystone |
| 480 | 494 |
SERVICE_TENANT_NAME=${SERVICE_TENANT_NAME:-service}
|