Merge "Add list_limit option to /etc/keystone/domains/domain.conf file You can set it using keystone:server:domain:domain_name:identity:list_limit in reclass"
diff --git a/.travis.yml b/.travis.yml
index acbbe42..a9b99a0 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -17,8 +17,12 @@
   - bundle install
 
 env:
-  - PLATFORM=trevorj/salty-whales:trusty MYSQL_VERSION='5.5'
-  - PLATFORM=trevorj/salty-whales:xenial MYSQL_VERSION='5.7'
+  - PLATFORM=trevorj/salty-whales:trusty MYSQL_VERSION='5.5' SUITE=single
+  - PLATFORM=trevorj/salty-whales:xenial MYSQL_VERSION='5.7' SUITE=single
+  - PLATFORM=trevorj/salty-whales:trusty MYSQL_VERSION='5.5' SUITE=single_fernet
+  - PLATFORM=trevorj/salty-whales:xenial MYSQL_VERSION='5.7' SUITE=single_fernet
+  - PLATFORM=trevorj/salty-whales:trusty MYSQL_VERSION='5.5' SUITE=under-apache
+  - PLATFORM=trevorj/salty-whales:xenial MYSQL_VERSION='5.7' SUITE=under-apache
 
 before_script:
   - set -o pipefail
diff --git a/README.rst b/README.rst
index 1e0e822..14403eb 100644
--- a/README.rst
+++ b/README.rst
@@ -202,16 +202,17 @@
     keystone:
       server:
         domain:
-          description: "Testing domain"
-          backend: ldap
-          assignment:
-            backend: sql
-          ldap:
-            url: "ldaps://idm.domain.com"
-            suffix: "dc=cloud,dc=domain,dc=com"
-            # Will bind as uid=keystone,cn=users,cn=accounts,dc=cloud,dc=domain,dc=com
-            uid: keystone
-            password: password
+          external:
+            description: "Testing domain"
+            backend: ldap
+            assignment:
+              backend: sql
+            ldap:
+              url: "ldaps://idm.domain.com"
+              suffix: "dc=cloud,dc=domain,dc=com"
+              # Will bind as uid=keystone,cn=users,cn=accounts,dc=cloud,dc=domain,dc=com
+              uid: keystone
+              password: password
 
 Using LDAP backend for default domain
 
diff --git a/keystone/files/juno/keystone.conf.Debian b/keystone/files/juno/keystone.conf.Debian
index 4d2b9a8..fa7a75e 100644
--- a/keystone/files/juno/keystone.conf.Debian
+++ b/keystone/files/juno/keystone.conf.Debian
@@ -79,7 +79,7 @@
 # Enforced by optional sizelimit middleware
 # (keystone.middleware:RequestBodySizeLimiter). (integer
 # value)
-#max_request_body_size=114688
+max_request_body_size= {{ server.max_request_body_size }}
 
 # Limit the sizes of user & project ID/names. (integer value)
 #max_param_size=64
@@ -1625,6 +1625,7 @@
 # configured with the hash_algorithms, otherwise token
 # revocation will not be processed correctly. (string value)
 #hash_algorithm=md5
+hash_algorithm = {{ server.hash_algorithm }}
 
 
 [trust]
diff --git a/keystone/files/kilo/keystone.conf.Debian b/keystone/files/kilo/keystone.conf.Debian
index 0e59b15..09e0cec 100644
--- a/keystone/files/kilo/keystone.conf.Debian
+++ b/keystone/files/kilo/keystone.conf.Debian
@@ -1151,7 +1151,7 @@
 # The maximum body size for each  request, in bytes. (integer value)
 # Deprecated group/name - [DEFAULT]/osapi_max_request_body_size
 # Deprecated group/name - [DEFAULT]/max_request_body_size
-#max_request_body_size = 114688
+max_request_body_size= {{ server.max_request_body_size }}
 
 
 [oslo_policy]
@@ -1458,6 +1458,7 @@
 # middleware must be configured with the hash_algorithms, otherwise token
 # revocation will not be processed correctly. (string value)
 #hash_algorithm = md5
+hash_algorithm = {{ server.hash_algorithm }}
 
 
 [trust]
diff --git a/keystone/files/liberty/keystone.conf.Debian b/keystone/files/liberty/keystone.conf.Debian
index 1a3ba25..2a91c8c 100644
--- a/keystone/files/liberty/keystone.conf.Debian
+++ b/keystone/files/liberty/keystone.conf.Debian
@@ -1344,7 +1344,7 @@
 # The maximum body size for each  request, in bytes. (integer value)
 # Deprecated group/name - [DEFAULT]/osapi_max_request_body_size
 # Deprecated group/name - [DEFAULT]/max_request_body_size
-#max_request_body_size = 114688
+max_request_body_size= {{ server.max_request_body_size }}
 
 #
 # From oslo.middleware
@@ -1680,6 +1680,7 @@
 # middleware must be configured with the hash_algorithms, otherwise token
 # revocation will not be processed correctly. (string value)
 #hash_algorithm = md5
+hash_algorithm = {{ server.hash_algorithm }}
 
 
 [tokenless_auth]
diff --git a/keystone/files/mitaka/keystone.conf.Debian b/keystone/files/mitaka/keystone.conf.Debian
index d834c20..a526cee 100644
--- a/keystone/files/mitaka/keystone.conf.Debian
+++ b/keystone/files/mitaka/keystone.conf.Debian
@@ -1774,7 +1774,7 @@
 # The maximum body size for each  request, in bytes. (integer value)
 # Deprecated group/name - [DEFAULT]/osapi_max_request_body_size
 # Deprecated group/name - [DEFAULT]/max_request_body_size
-#max_request_body_size = 114688
+max_request_body_size= {{ server.max_request_body_size }}
 
 # The HTTP Header that will be used to determine what the original request
 # protocol scheme was, even if it was hidden by an SSL termination proxy.
@@ -2168,6 +2168,7 @@
 # Reason: PKI token support has been deprecated in the M release and will be
 # removed in the O release. Fernet or UUID tokens are recommended.
 #hash_algorithm = md5
+hash_algorithm = {{ server.hash_algorithm }}
 
 # Add roles to token that are not explicitly added, but that are linked
 # implicitly to other roles. (boolean value)
diff --git a/keystone/files/newton/keystone.conf.Debian b/keystone/files/newton/keystone.conf.Debian
index 7c5960e..db95287 100644
--- a/keystone/files/newton/keystone.conf.Debian
+++ b/keystone/files/newton/keystone.conf.Debian
@@ -2225,7 +2225,7 @@
 # The maximum body size for each  request, in bytes. (integer value)
 # Deprecated group/name - [DEFAULT]/osapi_max_request_body_size
 # Deprecated group/name - [DEFAULT]/max_request_body_size
-#max_request_body_size = 114688
+max_request_body_size= {{ server.max_request_body_size }}
 
 # DEPRECATED: The HTTP Header that will be used to determine what the original
 # request protocol scheme was, even if it was hidden by a SSL termination
@@ -2844,6 +2844,7 @@
 # Reason: PKI token support has been deprecated in the M release and will be
 # removed in the O release. Fernet or UUID tokens are recommended.
 #hash_algorithm = md5
+hash_algorithm = {{ server.hash_algorithm }}
 
 # This controls whether roles should be included with tokens that are not
 # directly assigned to the token's scope, but are instead linked implicitly to
diff --git a/keystone/files/ocata/keystone.conf.Debian b/keystone/files/ocata/keystone.conf.Debian
index 9e9ff1c..375935c 100644
--- a/keystone/files/ocata/keystone.conf.Debian
+++ b/keystone/files/ocata/keystone.conf.Debian
@@ -2395,7 +2395,7 @@
 # The maximum body size for each  request, in bytes. (integer value)
 # Deprecated group/name - [DEFAULT]/osapi_max_request_body_size
 # Deprecated group/name - [DEFAULT]/max_request_body_size
-#max_request_body_size = 114688
+max_request_body_size= {{ server.max_request_body_size }}
 
 # DEPRECATED: The HTTP Header that will be used to determine what the original
 # request protocol scheme was, even if it was hidden by a SSL termination
@@ -3032,6 +3032,7 @@
 # Defaults to two days. (integer value)
 #allow_expired_window = 172800
 
+hash_algorithm = {{ server.hash_algorithm }}
 
 [tokenless_auth]
 
diff --git a/keystone/map.jinja b/keystone/map.jinja
index 01613bf..1a40274 100644
--- a/keystone/map.jinja
+++ b/keystone/map.jinja
@@ -6,6 +6,8 @@
         'version': 'icehouse',
         'api_version': '2',
         'cors': {},
+        'hash_algorithm': 'sha256',
+        'max_request_body_size': '114688',
         'tokens': {
           'engine': 'database',
           'expiration': '86400'
@@ -20,6 +22,8 @@
         'api_version': '2',
         'version': 'icehouse',
         'cors': {},
+        'hash_algorithm': 'sha256',
+        'max_request_body_size': '114688',
         'tokens': {
           'engine': 'database',
           'expiration': '86400'
diff --git a/keystone/server.sls b/keystone/server.sls
index 0bee8a6..b29e39e 100644
--- a/keystone/server.sls
+++ b/keystone/server.sls
@@ -5,6 +5,14 @@
   pkg.installed:
   - names: {{ server.pkgs }}
 
+{%- if server.get('backend') == 'ldap' or server.get('domain',{}).itervalues() | selectattr('ldap') | list %}
+keystone_ldap_packages:
+  pkg.installed:
+  - names:
+    - python-ldap
+    - python-ldappool
+{% endif %}
+
 {%- if server.service_name in ['apache2', 'httpd'] %}
 {%- set keystone_service = 'apache_service' %}
 
@@ -82,12 +90,32 @@
 /etc/keystone/keystone-paste.ini:
   file.managed:
   - source: salt://keystone/files/{{ server.version }}/keystone-paste.ini.{{ grains.os_family }}
+  - user: keystone
+  - group: keystone
   - template: jinja
   - require:
     - pkg: keystone_packages
   - watch_in:
     - service: {{ keystone_service }}
 
+/etc/keystone/policy.json:
+  file.managed:
+  - user: keystone
+  - group: keystone
+  - require:
+    - pkg: keystone_packages
+  - watch_in:
+    - service: {{ keystone_service }}
+
+/etc/keystone/logging.conf:
+  file.managed:
+  - user: keystone
+  - group: keystone
+  - require:
+    - pkg: keystone_packages
+  - watch_in:
+    - service: {{ keystone_service }}
+
 {%- for name, rule in server.get('policy', {}).iteritems() %}
 
 {%- if rule != None %}