Ldap configuration changes: - added new parameter: user_attribute_ignore (string) to manage it - added new parameter: group_mapping (bool) to disable group mapping block - fixed tests and doc for multiple ldap parameters - done some code sugar fix: indentation Prod-Related: PROD-32324 Change-Id: I6e73c9a55f205ce04e4a8dc91e661e0d833f6748

commit: 467059160d486f29dc80954e47fc9c39c3d1f237 [log] [tgz]
author: Dzmitry Stremkouski <dstremkouski@mirantis.com> Tue Jul 30 16:16:29 2019 +0200
committer: Dzmitry Stremkouski <dstremkouski@mirantis.com> Tue Jul 30 17:34:16 2019 +0200
tree: 428e4e6610af3fbcc4a11452afa2e3e6690b1bd3
parent: d363e1e4b6d1b9492bac976649bce265b6d2d89e [diff]
diff --git a/README.rst b/README.rst
index 0ec9620..ab7a965 100644
--- a/README.rst
+++ b/README.rst

@@ -199,6 +199,22 @@
         ...
 
 Keystone domain with LDAP backend, using SQL for
+role/project assignment and disabled group mapping block:
+
+.. code-block:: yaml
+
+    keystone:
+      server:
+        domain:
+          external:
+            description: "Testing domain"
+            backend: ldap
+            assignment:
+              backend: sql
+            ldap:
+              group_mapping: False
+
+Keystone domain with LDAP backend, using SQL for
 role/project assignment:
 
 .. code-block:: yaml
@@ -212,11 +228,24 @@
             assignment:
               backend: sql
             ldap:
+              group_mapping: False
               url: "ldaps://idm.domain.com"
               suffix: "dc=cloud,dc=domain,dc=com"
               # Will bind as uid=keystone,cn=users,cn=accounts,dc=cloud,dc=domain,dc=com
               uid: keystone
               password: password
+              query_scope: "sub"
+              bind_user: "CN=lab,CN=users,${keystone:server:domain:testing:ldap:suffix}"
+              filter:
+                user: "(memberOf=CN=Grp-atm-admins,CN=Users,${keystone:server:domain:testing:ldap:suffix})"
+              user_tree_dn: "CN=users,${keystone:server:domain:testing:ldap:suffix}"
+              user_id_attribute: "sAMAccountName"
+              user_name_attribute: "sAMAccountName"
+              user_pass_attribute: ""
+              user_enabled_default: 512
+              user_enabled_mask: 2
+              user_enabled_attribute: "userAccountControl"
+              user_attribute_ignore: "password,tenant_id,tenants"
 
 Use driver aliases for drivers instead of class path's:
 

diff --git a/keystone/files/_ldap.conf b/keystone/files/_ldap.conf
index 595ccd1..56c89ae 100644
--- a/keystone/files/_ldap.conf
+++ b/keystone/files/_ldap.conf

@@ -2,11 +2,11 @@
 [ldap]
 url = {{ ldap.url }}
 {%- if ldap.get('auth', True) == True %}
-{%- if ldap.bind_user is defined %}
+  {%- if ldap.bind_user is defined %}
 user = {{ ldap.bind_user }}
-{%- else %}
+  {%- else %}
 user = uid={{ ldap.get("uid", "keystone") }},cn=users,cn=accounts,{{ ldap.suffix }}
-{%- endif %}
+  {%- endif %}
 password = {{ ldap.password }}
 {%- endif %}
 suffix = {{ ldap.suffix }}
@@ -34,6 +34,9 @@
 user_enabled_default = {{ ldap.get("user_enabled_default", False) }}
 user_enabled_invert = {{ ldap.get("user_enabled_invert", True) }}
 user_enabled_mask = {{ ldap.get("user_enabled_mask", 0) }}
+{%- if ldap.user_attribute_ignore is defined %}
+user_attribute_ignore = {{ ldap.user_attribute_ignore }}
+{%- endif %}
 {%- if ldap.get('filter', {}).get('user', False) %}
 user_filter = {{ ldap.filter.user }}
 {%- endif %}
@@ -47,47 +50,49 @@
 user_enabled_emulation_use_group_config = {{ ldap.user_enabled_emulation_use_group_config }}
 {%- endif %}
 
+{%- if ldap.get('group_mapping', True) %}
 # Group mapping
-{%- if ldap.group_tree_dn is defined  %}
+  {%- if ldap.group_tree_dn is defined %}
 group_tree_dn = {{ ldap.group_tree_dn }}
-{%- else %}
+  {%- else %}
 group_tree_dn = cn=groups,cn=accounts,{{ ldap.suffix }}
-{%- endif %}
+  {%- endif %}
 group_objectclass = {{ ldap.get("group_objectclass", "groupOfNames") }}
 group_id_attribute = {{ ldap.get("group_id_attribute", "cn") }}
 group_name_attribute = {{ ldap.get("group_name_attribute", "cn") }}
 group_member_attribute = {{ ldap.get("group_member_attribute", "member") }}
 group_desc_attribute = {{ ldap.get("group_desc_attribute", "description") }}
-{%- if ldap.get('read_only', True) %}
+  {%- if ldap.get('read_only', True) %}
 group_allow_create = false
 group_allow_update = false
 group_allow_delete = false
-{%- endif %}
-{%- if ldap.get('filter', {}).get('group', False) %}
+  {%- endif %}
+  {%- if ldap.get('filter', {}).get('group', False) %}
 group_filter = {{ ldap.filter.group }}
-{%- endif %}
-{%- if ldap.group_members_are_ids is defined  %}
+  {%- endif %}
+  {%- if ldap.group_members_are_ids is defined  %}
 group_members_are_ids = {{ ldap.group_members_are_ids }}
+  {%- endif %}
 {%- endif %}
 
 {%- if ldap.tls is defined %}
 
-{%- if ldap.tls.get("enabled", False) %}
+  {%- if ldap.tls.get("enabled", False) %}
 use_tls = true
-{%- endif %}
+  {%- endif %}
 
-{%- if ldap.tls.cacertdir is defined %}
+  {%- if ldap.tls.cacertdir is defined %}
 tls_cacertdir = {{ ldap.tls.cacertdir }}
-{%- endif %}
+  {%- endif %}
 
-{%- if ldap.tls.cacert is defined %}
+  {%- if ldap.tls.cacert is defined %}
 tls_cacertfile = /etc/keystone/domains/{{ domain_name }}.pem
-{%- elif ldap.tls.cacertfile is defined %}
+  {%- elif ldap.tls.cacertfile is defined %}
 tls_cacertfile = {{ ldap.tls.cacertfile }}
-{%- endif %}
+  {%- endif %}
 
-{%- if ldap.tls.req_cert is defined %}
+  {%- if ldap.tls.req_cert is defined %}
 tls_req_cert = {{ ldap.tls.req_cert }}
-{%- endif %}
+  {%- endif %}
 
 {%- endif %}

diff --git a/tests/pillar/single.sls b/tests/pillar/single.sls
index 697e40e..ba1ef77 100644
--- a/tests/pillar/single.sls
+++ b/tests/pillar/single.sls

@@ -185,10 +185,24 @@
           backend: sql
           driver: keystone.assignment.backends.sql.Assignment
         ldap:
+          group_mapping: False
           url: "ldaps://idm.domain.com"
           suffix: "dc=cloud,dc=domain,dc=com"
           uid: keystone
           password: password
+          query_scope: "sub"
+          bind_user: "CN=lab,CN=users,${keystone:server:domain:testing:ldap:suffix}"
+          filter:
+            user: "(memberOf=CN=Grp-atm-admins,CN=Users,${keystone:server:domain:testing:ldap:suffix})"
+          user_tree_dn: "CN=users,${keystone:server:domain:testing:ldap:suffix}"
+          user_id_attribute: "sAMAccountName"
+          user_name_attribute: "sAMAccountName"
+          user_pass_attribute: ""
+          user_enabled_default: 512
+          user_enabled_mask: 2
+          user_enabled_attribute: "userAccountControl"
+          user_attribute_ignore: "password,tenant_id,tenants"
+
 # Client state
   client:
     enabled: false
commit	467059160d486f29dc80954e47fc9c39c3d1f237	[log] [tgz]
author	Dzmitry Stremkouski <dstremkouski@mirantis.com>	Tue Jul 30 16:16:29 2019 +0200
committer	Dzmitry Stremkouski <dstremkouski@mirantis.com>	Tue Jul 30 17:34:16 2019 +0200
tree	428e4e6610af3fbcc4a11452afa2e3e6690b1bd3
parent	d363e1e4b6d1b9492bac976649bce265b6d2d89e [diff]