Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / keystone / 7651a73bdbd0cab80067f45de1e7e455d54e3dc4^! / .
commit7651a73bdbd0cab80067f45de1e7e455d54e3dc4[log] [tgz]
authorDmitry Nikishov <dnikishov@mirantis.com>Fri Jun 09 17:46:19 2017 +0400
committerTomas Kukral <tkukral@mirantis.com>Tue Jun 20 11:17:06 2017 +0000
treea71d35665f051ef5e0d20bc1003f3e5db5142298
parentffdc17486e4deee26734e8659b1b717c45cc95a2 [diff]
Parameterize LDAP/Keystone integration

Currently, Keystone/LDAP integration has many parameters
hardcoded (eg attributes, binding DN).

This commit allowes an operator to specify these settings,
while preserving backwards compatibility.

Change-Id: Ifb0921b38d9b2662b2258278fa9e5f128fafe422

diff --git a/keystone/files/_ldap.conf b/keystone/files/_ldap.conf
index 0c27708..2b61fdd 100644
--- a/keystone/files/_ldap.conf
+++ b/keystone/files/_ldap.conf

@@ -1,22 +1,31 @@
 
 [ldap]
 url = {{ ldap.url }}
+{%- if ldap.bind_user is defined %}
+user = {{ ldap.bind_user }}
+{%- else %}
 user = uid={{ ldap.get("uid", "keystone") }},cn=users,cn=accounts,{{ ldap.suffix }}
+{%- endif %}
 password = {{ ldap.password }}
 suffix = {{ ldap.suffix }}
 
 # User mapping
+{%- if ldap.user_tree_dn is defined  %}
+user_tree_dn = {{ ldap.user_tree_dn }}
+{%- else %}
 user_tree_dn = cn=users,cn=accounts,{{ ldap.suffix }}
-user_objectclass = person
-user_id_attribute = uid
-user_name_attribute = uid
-user_mail_attribute = mail
+{%- endif %}
+user_objectclass = {{ ldap.get("user_objectclass", "person") }}
+user_id_attribute = {{ ldap.get("user_id_attribute", "uid") }}
+user_name_attribute = {{ ldap.get("user_name_attribute", "uid") }}
+user_mail_attribute = {{ ldap.get("user_mail_attribute", "mail") }}
+user_pass_attribute = {{ ldap.get("user_pass_attribute", "password") }}
 {%- if ldap.get('read_only', True) %}
 user_allow_create = false
 user_allow_update = false
 user_allow_delete = false
 {%- endif %}
-user_enabled_attribute = nsAccountLock
+user_enabled_attribute = {{ ldap.get("user_enabled_attribute", "nsAccountLock") }}
 user_enabled_default = False
 user_enabled_invert = true
 {%- if ldap.get('filter', {}).get('user', False) %}
@@ -24,12 +33,16 @@
 {%- endif %}
 
 # Group mapping
+{%- if ldap.group_tree_dn is defined  %}
+group_tree_dn = {{ ldap.group_tree_dn }}
+{%- else %}
 group_tree_dn = cn=groups,cn=accounts,{{ ldap.suffix }}
-group_objectclass = groupOfNames
-group_id_attribute = cn
-group_name_attribute = cn
-group_member_attribute = member
-group_desc_attribute = description
+{%- endif %}
+group_objectclass = {{ ldap.get("group_objectclass", "groupOfNames") }}
+group_id_attribute = {{ ldap.get("group_id_attribute", "cn") }}
+group_name_attribute = {{ ldap.get("group_name_attribute", "cn") }}
+group_member_attribute = {{ ldap.get("group_member_attribute", "member") }}
+group_desc_attribute = {{ ldap.get("group_desc_attribute", "description") }}
 {%- if ldap.get('read_only', True) %}
 group_allow_create = false
 group_allow_update = false