Support for multiple domains and ldap backend

commit: 6b9ec2bc89f0d8520a800a4823b902077b143b46 [log] [tgz]
author: Filip Pytloun <filip@pytloun.cz> Tue Jan 12 13:52:01 2016 +0100
committer: Filip Pytloun <filip@pytloun.cz> Tue Jan 12 13:52:01 2016 +0100
tree: 0dc31077b0254562e71fea68707dee9bc9cf3635
parent: 5d3d3a74723299967dd4d0e04bb8b508df28c3b4 [diff]
diff --git a/README.rst b/README.rst
index 2cf4bce..ae0bd39 100644
--- a/README.rst
+++ b/README.rst

@@ -160,6 +160,23 @@
           engine: fernet
         ...
 
+Keystone domain with LDAP backend, using SQL for role/project assignment
+
+.. code-block:: yaml
+
+    keystone:
+      server:
+        domain:
+          backend: ldap
+          assignment:
+            backend: sql
+          ldap:
+            url: "ldaps://idm01.workshop.cloudlab.cz"
+            suffix: "dc=workshop,dc=cloudlab,dc=cz"
+            # Will bind as uid=keystone,cn=users,cn=accounts,dc=workshop,dc=cloudlab,dc=cz
+            uid: keystone
+            password: cloudlab
+
 Read more
 =========
 

diff --git a/keystone/files/keystone.domain.conf b/keystone/files/keystone.domain.conf
new file mode 100644
index 0000000..9bf4271
--- /dev/null
+++ b/keystone/files/keystone.domain.conf

@@ -0,0 +1,59 @@
+{% from "keystone/map.jinja" import server with context %}
+{%- for name, dm in server.domain.iteritems() %}
+{%- if name == domain_name %}
+{%- set domain = dm %}
+{%- endif %}
+{%- endfor %}
+
+{%- if domain.get("backend", "sql") == "ldap" %}
+[ldap]
+url = {{ domain.ldap.url }}
+user = uid={{ domain.ldap.get("uid", "keystone") }},cn=users,cn=accounts,{{ domain.ldap.suffix }}
+password = {{ domain.ldap.password }}
+suffix = {{ domain.ldap.suffix }}
+
+# User mapping
+user_tree_dn = cn=users,cn=accounts,{{ domain.ldap.suffix }}
+user_objectclass = person
+user_id_attribute = uid
+user_name_attribute = uid
+user_mail_attribute = mail
+user_allow_create = false
+user_allow_update = false
+user_allow_delete = false
+user_enabled_attribute = nsAccountLock
+user_enabled_default = False
+user_enabled_invert = true
+
+# Group mapping
+group_tree_dn = cn=groups,cn=accounts,{{ domain.ldap.suffix }}
+group_objectclass = groupOfNames
+group_id_attribute = cn
+group_name_attribute = cn
+group_member_attribute = member
+group_desc_attribute = description
+group_allow_create = false
+group_allow_update = false
+group_allow_delete = false
+
+{%- if ldap.get("tls", {}).get("enabled", true) %}
+use_tls = true
+{%- if ldap.tls.cacertfile %}
+tls_cacertfile = /etc/ipa/ca.crt
+{%- endif %}
+{%- endif %}
+{%- endif %}
+
+[identity]
+{%- if domain.get("backend", "sql") == "ldap" %}
+driver = keystone.identity.backends.ldap.Identity
+{%- else %}
+driver = keystone.identity.backends.sql.Identity
+{%- endif %}
+
+[assignment]
+{%- if domain.get("assignment", {}).get("backend", "sql") == "ldap" %}
+driver = keystone.assignment.backends.ldap.Assignment
+{%- else %}
+driver = keystone.assignment.backends.sql.Assignment
+{%- endif %}

diff --git a/keystone/files/kilo/keystone.conf.Debian b/keystone/files/kilo/keystone.conf.Debian
index 1d84368..29ec0ef 100644
--- a/keystone/files/kilo/keystone.conf.Debian
+++ b/keystone/files/kilo/keystone.conf.Debian

@@ -706,7 +706,13 @@
 # cannot be deleted on the v3 API, to prevent accidentally breaking the v2 API.
 # There is nothing special about this domain, other than the fact that it must
 # exist to order to maintain support for your v2 clients. (string value)
-#default_domain_id = default
+{%- if server.get('domain' {}) %}
+{%- for name, domain in server.domain.iteritems() %}
+{%- if domain.get('default', False) %}
+default_domain_id = {{ name }}
+{%- endif %}
+{%- endfor %}
+{%- endif %}
 
 # A subset (or all) of domains can have their own identity driver, each with
 # their own partial configuration options, stored in either the resource
@@ -714,7 +720,9 @@
 # setting of domain_configurations_from_database). Only values specific to the
 # domain need to be specified in this manner. This feature is disabled by
 # default; set to true to enable. (boolean value)
-#domain_specific_drivers_enabled = false
+{%- if server.get('domain' {}) %}
+domain_specific_drivers_enabled = true
+{%- endif %}
 
 # Extract the domain specific configuration options from the resource backend
 # where they have been stored with the domain data. This feature is disabled by
@@ -725,7 +733,9 @@
 
 # Path for Keystone to locate the domain specific identity configuration files
 # if domain_specific_drivers_enabled is set to true. (string value)
-#domain_config_dir = /etc/keystone/domains
+{%- if server.get('domain' {}) %}
+domain_config_dir = /etc/keystone/domains
+{%- endif %}
 
 # Identity backend driver. (string value)
 #driver = keystone.identity.backends.sql.Identity

diff --git a/keystone/files/liberty/keystone.conf.Debian b/keystone/files/liberty/keystone.conf.Debian
index 542c309..02925bc 100644
--- a/keystone/files/liberty/keystone.conf.Debian
+++ b/keystone/files/liberty/keystone.conf.Debian

@@ -832,7 +832,13 @@
 # cannot be deleted on the v3 API, to prevent accidentally breaking the v2 API.
 # There is nothing special about this domain, other than the fact that it must
 # exist to order to maintain support for your v2 clients. (string value)
-#default_domain_id = default
+{%- if server.get('domain' {}) %}
+{%- for name, domain in server.domain.iteritems() %}
+{%- if domain.get('default', False) %}
+default_domain_id = {{ name }}
+{%- endif %}
+{%- endfor %}
+{%- endif %}
 
 # A subset (or all) of domains can have their own identity driver, each with
 # their own partial configuration options, stored in either the resource
@@ -840,7 +846,9 @@
 # setting of domain_configurations_from_database). Only values specific to the
 # domain need to be specified in this manner. This feature is disabled by
 # default; set to true to enable. (boolean value)
-#domain_specific_drivers_enabled = false
+{%- if server.get('domain' {}) %}
+domain_specific_drivers_enabled = true
+{%- endif %}
 
 # Extract the domain specific configuration options from the resource backend
 # where they have been stored with the domain data. This feature is disabled by
@@ -851,7 +859,9 @@
 
 # Path for Keystone to locate the domain specific identity configuration files
 # if domain_specific_drivers_enabled is set to true. (string value)
-#domain_config_dir = /etc/keystone/domains
+{%- if server.get('domain' {}) %}
+domain_config_dir = /etc/keystone/domains
+{%- endif %}
 
 # Entrypoint for the identity backend driver in the keystone.identity
 # namespace. Supplied drivers are ldap and sql. (string value)

diff --git a/keystone/server.sls b/keystone/server.sls
index 5fd8a31..396f319 100644
--- a/keystone/server.sls
+++ b/keystone/server.sls

@@ -54,6 +54,26 @@
   - watch_in:
     - service: keystone_service
 
+{%- if server.get("domain", {}) %}
+
+/etc/keystone/domains:
+  file.directory:
+    - mode: 0755
+    - require:
+      - pkg: keystone_packages
+
+{%- for domain_name, domain in server.domain.iteritems() %}
+/etc/keystone/domains/keystone.{{ domain_name }}.conf:
+  file.managed:
+    - source: salt://keystone/files/keystone.domain.conf
+    - require:
+      - file: /etc/keystone/domains
+    - watch_in:
+      - service: keystone_service
+{%- endfor %}
+
+{%- endif %}
+
 keystone_service:
   service.running:
   - name: {{ server.service_name }}
commit	6b9ec2bc89f0d8520a800a4823b902077b143b46	[log] [tgz]
author	Filip Pytloun <filip@pytloun.cz>	Tue Jan 12 13:52:01 2016 +0100
committer	Filip Pytloun <filip@pytloun.cz>	Tue Jan 12 13:52:01 2016 +0100
tree	0dc31077b0254562e71fea68707dee9bc9cf3635
parent	5d3d3a74723299967dd4d0e04bb8b508df28c3b4 [diff]