Fixes devstack ldap plugin
When the ldap service is enable on local.conf devstack ldap
plugin starts slapd service using its default config on Ubuntu
and installs ldap-utils package.
Enables domain specific drivers on Keystone and creates LDAP
domain 'Users' with a demo user.
Change-Id: I8d7aa260b01f675e4ed201ef93bfd66474f4b228
diff --git a/files/ldap/user.ldif.in b/files/ldap/user.ldif.in
new file mode 100644
index 0000000..16a9807
--- /dev/null
+++ b/files/ldap/user.ldif.in
@@ -0,0 +1,23 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# permissions and limitations under the License.
+
+# Demo LDAP user
+dn: cn=demo,ou=Users,${BASE_DN}
+cn: demo
+displayName: demo
+givenName: demo
+mail: demo@openstack.org
+objectClass: inetOrgPerson
+objectClass: top
+sn: demo
+uid: demo
+userPassword: demo
diff --git a/lib/horizon b/lib/horizon
index 9c7ec00..becc5a0 100644
--- a/lib/horizon
+++ b/lib/horizon
@@ -106,6 +106,10 @@
_horizon_config_set $local_settings "" OPENSTACK_SSL_CACERT \"${SSL_BUNDLE_FILE}\"
fi
+ if is_service_enabled ldap; then
+ _horizon_config_set $local_settings "" OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT "True"
+ fi
+
# Create an empty directory that apache uses as docroot
sudo mkdir -p $HORIZON_DIR/.blackhole
diff --git a/lib/keystone b/lib/keystone
index eb46526..1061081 100644
--- a/lib/keystone
+++ b/lib/keystone
@@ -219,17 +219,10 @@
fi
# Rewrite stock ``keystone.conf``
-
if is_service_enabled ldap; then
- #Set all needed ldap values
- iniset $KEYSTONE_CONF ldap password $LDAP_PASSWORD
- iniset $KEYSTONE_CONF ldap user $LDAP_MANAGER_DN
- iniset $KEYSTONE_CONF ldap suffix $LDAP_BASE_DN
- iniset $KEYSTONE_CONF ldap user_tree_dn "ou=Users,$LDAP_BASE_DN"
- iniset $KEYSTONE_CONF DEFAULT member_role_id "9fe2ff9ee4384b1894a90878d3e92bab"
- iniset $KEYSTONE_CONF DEFAULT member_role_name "_member_"
+ iniset $KEYSTONE_CONF identity domain_config_dir "$KEYSTONE_CONF_DIR/domains"
+ iniset $KEYSTONE_CONF identity domain_specific_drivers_enabled "True"
fi
-
iniset $KEYSTONE_CONF identity driver "$KEYSTONE_IDENTITY_BACKEND"
iniset $KEYSTONE_CONF identity password_hash_rounds $KEYSTONE_PASSWORD_HASH_ROUNDS
iniset $KEYSTONE_CONF assignment driver "$KEYSTONE_ASSIGNMENT_BACKEND"
@@ -410,6 +403,10 @@
get_or_add_group_project_role $member_role $non_admin_group $alt_demo_project
get_or_add_group_project_role $another_role $non_admin_group $alt_demo_project
get_or_add_group_project_role $admin_role $admin_group $admin_project
+
+ if is_service_enabled ldap; then
+ create_ldap_domain
+ fi
}
# Create a user that is capable of verifying keystone tokens for use with auth_token middleware.
@@ -615,6 +612,63 @@
--bootstrap-public-url "$KEYSTONE_SERVICE_URI"
}
+# create_ldap_domain() - Create domain file and initialize domain with a user
+function create_ldap_domain {
+ # Creates domain Users
+ openstack --os-identity-api-version=3 domain create --description "LDAP domain" Users
+
+ # Create domain file inside etc/keystone/domains
+ KEYSTONE_LDAP_DOMAIN_FILE=$KEYSTONE_CONF_DIR/domains/keystone.Users.conf
+ mkdir -p "$KEYSTONE_CONF_DIR/domains"
+ touch "$KEYSTONE_LDAP_DOMAIN_FILE"
+
+ # Set identity driver 'ldap'
+ iniset $KEYSTONE_LDAP_DOMAIN_FILE identity driver "ldap"
+
+ # LDAP settings for Users domain
+ iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap group_allow_delete "False"
+ iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap group_allow_update "False"
+ iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap group_allow_create "False"
+ iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap user_allow_delete "False"
+ iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap user_allow_update "False"
+ iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap user_allow_create "False"
+ iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap user_tree_dn "ou=Users,$LDAP_BASE_DN"
+ iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap user_objectclass "inetOrgPerson"
+ iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap user_name_attribute "cn"
+ iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap user_mail_attribute "mail"
+ iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap user_id_attribute "uid"
+ iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap user "cn=Manager,dc=openstack,dc=org"
+ iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap url "ldap://localhost"
+ iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap suffix $LDAP_BASE_DN
+ iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap password $LDAP_PASSWORD
+ iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap group_tree_dn "ou=Groups,$LDAP_BASE_DN"
+ iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap group_objectclass "groupOfNames"
+ iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap group_name_attribute "cn"
+ iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap group_id_attribute "cn"
+
+ # Restart apache and identity services to associate domain and conf file
+ sudo service apache2 reload
+ sudo systemctl restart devstack@keystone
+
+ # Create LDAP user.ldif and add user to LDAP backend
+ local tmp_ldap_dir
+ tmp_ldap_dir=$(mktemp -d -t ldap.$$.XXXXXXXXXX)
+
+ _ldap_varsubst $FILES/ldap/user.ldif.in $slappass >$tmp_ldap_dir/user.ldif
+ sudo ldapadd -x -w $LDAP_PASSWORD -D "$LDAP_MANAGER_DN" -H $LDAP_URL -c -f $tmp_ldap_dir/user.ldif
+ rm -rf $tmp_ldap_dir
+
+ local admin_project
+ admin_project=$(get_or_create_project "admin" default)
+ local ldap_user
+ ldap_user=$(openstack user show --domain=Users demo -f value -c id)
+ local admin_role="admin"
+ get_or_create_role $admin_role
+
+ # Grant demo LDAP user access to project and role
+ get_or_add_user_project_role $admin_role $ldap_user $admin_project
+}
+
# Restore xtrace
$_XTRACE_KEYSTONE
diff --git a/lib/ldap b/lib/ldap
index 4cea812..5a53d0e 100644
--- a/lib/ldap
+++ b/lib/ldap
@@ -119,8 +119,7 @@
printf "installing OpenLDAP"
if is_ubuntu; then
- # Ubuntu automatically starts LDAP so no need to call start_ldap()
- :
+ configure_ldap
elif is_fedora; then
start_ldap
elif is_suse; then
@@ -148,6 +147,27 @@
rm -rf $tmp_ldap_dir
}
+# configure_ldap() - Configure LDAP - reconfigure slapd
+function configure_ldap {
+ sudo debconf-set-selections <<EOF
+ slapd slapd/internal/generated_adminpw password $LDAP_PASSWORD
+ slapd slapd/internal/adminpw password $LDAP_PASSWORD
+ slapd slapd/password2 password $LDAP_PASSWORD
+ slapd slapd/password1 password $LDAP_PASSWORD
+ slapd slapd/dump_database_destdir string /var/backups/slapd-VERSION
+ slapd slapd/domain string Users
+ slapd shared/organization string $LDAP_DOMAIN
+ slapd slapd/backend string HDB
+ slapd slapd/purge_database boolean true
+ slapd slapd/move_old_database boolean true
+ slapd slapd/allow_ldap_v2 boolean false
+ slapd slapd/no_configuration boolean false
+ slapd slapd/dump_database select when needed
+EOF
+ sudo apt-get install -y slapd ldap-utils
+ sudo dpkg-reconfigure -f noninteractive $LDAP_SERVICE_NAME
+}
+
# start_ldap() - Start LDAP
function start_ldap {
sudo service $LDAP_SERVICE_NAME restart