freshen the LDAP support

* Build the base DN from a given domain name
* Remove all hard-coded names to allow configuration of base DN
* Fix manager DN (cn=Manager,dc=...)
* Add ldap init_ldap()
* Add support for clean.sh

Change-Id: Ieb69be9740653645b8e000574ad3fe59a0f97540
This commit is contained in:
Dean Troyer 2013-10-01 14:45:04 -05:00
parent 298f7d4843
commit b9e25135c5
7 changed files with 141 additions and 56 deletions

View File

@ -15,6 +15,8 @@ TOP_DIR=$(cd $(dirname "$0") && pwd)
# Import common functions # Import common functions
source $TOP_DIR/functions source $TOP_DIR/functions
FILES=$TOP_DIR/files
# Load local configuration # Load local configuration
source $TOP_DIR/stackrc source $TOP_DIR/stackrc
@ -84,6 +86,10 @@ cleanup_nova
cleanup_neutron cleanup_neutron
cleanup_swift cleanup_swift
if is_service_enabled ldap; then
cleanup_ldap
fi
# Do the hypervisor cleanup until this can be moved back into lib/nova # Do the hypervisor cleanup until this can be moved back into lib/nova
if [[ -r $NOVA_PLUGINS/hypervisor-$VIRT_DRIVER ]]; then if [[ -r $NOVA_PLUGINS/hypervisor-$VIRT_DRIVER ]]; then
cleanup_nova_hypervisor cleanup_nova_hypervisor

View File

@ -1,3 +1,3 @@
ldap-utils ldap-utils
slapd # NOPRIME slapd
python-ldap python-ldap

View File

@ -1,26 +1,26 @@
dn: dc=openstack,dc=org dn: ${BASE_DN}
dc: openstack
objectClass: dcObject objectClass: dcObject
objectClass: organizationalUnit objectClass: organizationalUnit
ou: openstack dc: ${BASE_DC}
ou: ${BASE_DC}
dn: ou=UserGroups,dc=openstack,dc=org dn: ou=UserGroups,${BASE_DN}
objectClass: organizationalUnit objectClass: organizationalUnit
ou: UserGroups ou: UserGroups
dn: ou=Users,dc=openstack,dc=org dn: ou=Users,${BASE_DN}
objectClass: organizationalUnit objectClass: organizationalUnit
ou: Users ou: Users
dn: ou=Roles,dc=openstack,dc=org dn: ou=Roles,${BASE_DN}
objectClass: organizationalUnit objectClass: organizationalUnit
ou: Roles ou: Roles
dn: ou=Projects,dc=openstack,dc=org dn: ou=Projects,${BASE_DN}
objectClass: organizationalUnit objectClass: organizationalUnit
ou: Projects ou: Projects
dn: cn=9fe2ff9ee4384b1894a90878d3e92bab,ou=Roles,dc=openstack,dc=org dn: cn=9fe2ff9ee4384b1894a90878d3e92bab,ou=Roles,${BASE_DN}
objectClass: organizationalRole objectClass: organizationalRole
ou: _member_ ou: _member_
cn: 9fe2ff9ee4384b1894a90878d3e92bab cn: 9fe2ff9ee4384b1894a90878d3e92bab

View File

@ -1,10 +1,15 @@
dn: olcDatabase={${LDAP_OLCDB_NUMBER}}hdb,cn=config dn: olcDatabase={${LDAP_OLCDB_NUMBER}}hdb,cn=config
changetype: modify changetype: modify
replace: olcSuffix replace: olcSuffix
olcSuffix: dc=openstack,dc=org olcSuffix: ${BASE_DN}
- -
replace: olcRootDN replace: olcRootDN
olcRootDN: dc=Manager,dc=openstack,dc=org olcRootDN: ${MANAGER_DN}
- -
${LDAP_ROOTPW_COMMAND}: olcRootPW ${LDAP_ROOTPW_COMMAND}: olcRootPW
olcRootPW: ${SLAPPASS} olcRootPW: ${SLAPPASS}
-
replace: olcDbIndex
olcDbIndex: objectClass eq
olcDbIndex: default pres,eq
olcDbIndex: cn,sn,givenName,co

View File

@ -12,8 +12,10 @@ objectClass: olcSchemaConfig
cn: schema cn: schema
include: file:///etc/openldap/schema/core.ldif include: file:///etc/openldap/schema/core.ldif
include: file:///etc/openldap/schema/cosine.ldif
include: file:///etc/openldap/schema/inetorgperson.ldif
dn: olcDatabase={1}hdb,cn=config dn: olcDatabase={1}hdb,cn=config
objectClass: olcHdbConfig objectClass: olcHdbConfig
olcDbDirectory: /var/lib/ldap olcDbDirectory: /var/lib/ldap
olcSuffix: dc=openstack,dc=org olcSuffix: ${BASE_DN}

View File

@ -143,17 +143,17 @@ function configure_keystone() {
if is_service_enabled ldap; then if is_service_enabled ldap; then
#Set all needed ldap values #Set all needed ldap values
iniset $KEYSTONE_CONF ldap password $LDAP_PASSWORD iniset $KEYSTONE_CONF ldap password $LDAP_PASSWORD
iniset $KEYSTONE_CONF ldap user "dc=Manager,dc=openstack,dc=org" iniset $KEYSTONE_CONF ldap user $LDAP_MANAGER_DN
iniset $KEYSTONE_CONF ldap suffix "dc=openstack,dc=org" iniset $KEYSTONE_CONF ldap suffix $LDAP_BASE_DN
iniset $KEYSTONE_CONF ldap use_dumb_member "True" iniset $KEYSTONE_CONF ldap use_dumb_member "True"
iniset $KEYSTONE_CONF ldap user_attribute_ignore "enabled,email,tenants,default_project_id" iniset $KEYSTONE_CONF ldap user_attribute_ignore "enabled,email,tenants,default_project_id"
iniset $KEYSTONE_CONF ldap tenant_attribute_ignore "enabled" iniset $KEYSTONE_CONF ldap tenant_attribute_ignore "enabled"
iniset $KEYSTONE_CONF ldap tenant_domain_id_attribute "businessCategory" iniset $KEYSTONE_CONF ldap tenant_domain_id_attribute "businessCategory"
iniset $KEYSTONE_CONF ldap tenant_desc_attribute "description" iniset $KEYSTONE_CONF ldap tenant_desc_attribute "description"
iniset $KEYSTONE_CONF ldap tenant_tree_dn "ou=Projects,dc=openstack,dc=org" iniset $KEYSTONE_CONF ldap tenant_tree_dn "ou=Projects,$LDAP_BASE_DN"
iniset $KEYSTONE_CONF ldap user_domain_id_attribute "businessCategory" iniset $KEYSTONE_CONF ldap user_domain_id_attribute "businessCategory"
iniset $KEYSTONE_CONF ldap user_tree_dn "ou=Users,dc=openstack,dc=org" iniset $KEYSTONE_CONF ldap user_tree_dn "ou=Users,$LDAP_BASE_DN"
iniset $KEYSTONE_CONF DEFAULT member_role_id "9fe2ff9ee4384b1894a90878d3e92bab" iniset $KEYSTONE_CONF DEFAULT member_role_id "9fe2ff9ee4384b1894a90878d3e92bab"
iniset $KEYSTONE_CONF DEFAULT member_role_name "_member_" iniset $KEYSTONE_CONF DEFAULT member_role_name "_member_"
fi fi
@ -320,6 +320,10 @@ create_keystone_accounts() {
# init_keystone() - Initialize databases, etc. # init_keystone() - Initialize databases, etc.
function init_keystone() { function init_keystone() {
if is_service_enabled ldap; then
init_ldap
fi
# (Re)create keystone database # (Re)create keystone database
recreate_database keystone utf8 recreate_database keystone utf8

146
lib/ldap
View File

@ -9,68 +9,137 @@
XTRACE=$(set +o | grep xtrace) XTRACE=$(set +o | grep xtrace)
set +o xtrace set +o xtrace
LDAP_DOMAIN=${LDAP_DOMAIN:-openstack.org}
# Make an array of domain components
DC=(${LDAP_DOMAIN/./ })
# Leftmost domain component used in top-level entry
LDAP_BASE_DC=${DC[0]}
# Build the base DN
dn=""
for dc in ${DC[*]}; do
dn="$dn,dc=$dc"
done
LDAP_BASE_DN=${dn#,}
LDAP_MANAGER_DN="${LDAP_MANAGER_DN:-cn=Manager,${LDAP_BASE_DN}}"
LDAP_URL=${LDAP_URL:-ldap://localhost}
LDAP_SERVICE_NAME=slapd LDAP_SERVICE_NAME=slapd
if is_ubuntu; then
LDAP_OLCDB_NUMBER=1
LDAP_ROOTPW_COMMAND=replace
elif is_fedora; then
LDAP_OLCDB_NUMBER=2
LDAP_ROOTPW_COMMAND=add
elif is_suse; then
# SUSE has slappasswd in /usr/sbin/
PATH=$PATH:/usr/sbin/
LDAP_OLCDB_NUMBER=1
LDAP_ROOTPW_COMMAND=add
LDAP_SERVICE_NAME=ldap
fi
# Functions # Functions
# --------- # ---------
# Perform common variable substitutions on the data files
# _ldap_varsubst file
function _ldap_varsubst() {
local infile=$1
sed -e "
s|\${LDAP_OLCDB_NUMBER}|$LDAP_OLCDB_NUMBER|
s|\${SLAPPASS}|$SLAPPASS|
s|\${LDAP_ROOTPW_COMMAND}|$LDAP_ROOTPW_COMMAND|
s|\${BASE_DC}|$LDAP_BASE_DC|
s|\${BASE_DN}|$LDAP_BASE_DN|
s|\${MANAGER_DN}|$LDAP_MANAGER_DN|
" $infile
}
# clean_ldap() - Remove ldap server
function cleanup_ldap() {
uninstall_package $(get_packages ldap)
if is_ubuntu; then
uninstall_package slapd ldap-utils libslp1
sudo rm -rf /etc/ldap/ldap.conf /var/lib/ldap
elif is_fedora; then
sudo rm -rf /etc/openldap /var/lib/ldap
elif is_suse; then
sudo rm -rf /var/lib/ldap
fi
}
# init_ldap
# init_ldap() - Initialize databases, etc.
function init_ldap() {
local keystone_ldif
TMP_LDAP_DIR=$(mktemp -d -t ldap.$$.XXXXXXXXXX)
# Remove data but not schemas
clear_ldap_state
# Add our top level ldap nodes
if ldapsearch -x -w $LDAP_PASSWORD -D "$LDAP_MANAGER_DN" -H $LDAP_URL -b "$LDAP_BASE_DN" | grep -q "Success"; then
printf "LDAP already configured for $LDAP_BASE_DC\n"
else
printf "Configuring LDAP for $LDAP_BASE_DC\n"
# If BASE_DN is changed, the user may override the default file
if [[ -r $FILES/ldap/${LDAP_BASE_DC}.ldif.in ]]; then
keystone_ldif=${LDAP_BASE_DC}.ldif
else
keystone_ldif=keystone.ldif
fi
_ldap_varsubst $FILES/ldap/${keystone_ldif}.in >$TMP_LDAP_DIR/${keystone_ldif}
if [[ -r $TMP_LDAP_DIR/${keystone_ldif} ]]; then
ldapadd -x -w $LDAP_PASSWORD -D "$LDAP_MANAGER_DN" -H $LDAP_URL -c -f $TMP_LDAP_DIR/${keystone_ldif}
fi
fi
rm -rf TMP_LDAP_DIR
}
# install_ldap # install_ldap
# install_ldap() - Collect source and prepare # install_ldap() - Collect source and prepare
function install_ldap() { function install_ldap() {
echo "Installing LDAP inside function" echo "Installing LDAP inside function"
echo "LDAP_PASSWORD is $LDAP_PASSWORD"
echo "os_VENDOR is $os_VENDOR" echo "os_VENDOR is $os_VENDOR"
printf "installing"
TMP_LDAP_DIR=$(mktemp -d -t ldap.$$.XXXXXXXXXX)
printf "installing OpenLDAP"
if is_ubuntu; then if is_ubuntu; then
LDAP_OLCDB_NUMBER=1 # Ubuntu automatically starts LDAP so no need to call start_ldap()
LDAP_ROOTPW_COMMAND=replace :
sudo DEBIAN_FRONTEND=noninteractive apt-get install slapd ldap-utils
#automatically starts LDAP on ubuntu so no need to call start_ldap
elif is_fedora; then elif is_fedora; then
LDAP_OLCDB_NUMBER=2
LDAP_ROOTPW_COMMAND=add
start_ldap start_ldap
elif is_suse; then elif is_suse; then
LDAP_OLCDB_NUMBER=1 _ldap_varsubst $FILES/ldap/suse-base-config.ldif.in >$TMP_LDAP_DIR/suse-base-config.ldif
LDAP_ROOTPW_COMMAND=add sudo slapadd -F /etc/openldap/slapd.d/ -bcn=config -l $TMP_LDAP_DIR/suse-base-config.ldif
LDAP_SERVICE_NAME=ldap
# SUSE has slappasswd in /usr/sbin/
PATH=$PATH:/usr/sbin/
sudo slapadd -F /etc/openldap/slapd.d/ -bcn=config -l $FILES/ldap/base-config.ldif
sudo sed -i '/^OPENLDAP_START_LDAPI=/s/"no"/"yes"/g' /etc/sysconfig/openldap sudo sed -i '/^OPENLDAP_START_LDAPI=/s/"no"/"yes"/g' /etc/sysconfig/openldap
start_ldap start_ldap
fi fi
printf "generate password file" echo "LDAP_PASSWORD is $LDAP_PASSWORD"
SLAPPASS=`slappasswd -s $LDAP_PASSWORD` SLAPPASS=$(slappasswd -s $LDAP_PASSWORD)
printf "LDAP secret is $SLAPPASS\n"
printf "secret is $SLAPPASS\n" # Create manager.ldif and add to olcdb
#create manager.ldif _ldap_varsubst $FILES/ldap/manager.ldif.in >$TMP_LDAP_DIR/manager.ldif
TMP_MGR_DIFF_FILE=`mktemp -t manager_ldiff.$$.XXXXXXXXXX.ldif` sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f $TMP_LDAP_DIR/manager.ldif
sed -e "s|\${LDAP_OLCDB_NUMBER}|$LDAP_OLCDB_NUMBER|" -e "s|\${SLAPPASS}|$SLAPPASS|" -e "s|\${LDAP_ROOTPW_COMMAND}|$LDAP_ROOTPW_COMMAND|" $FILES/ldap/manager.ldif.in >> $TMP_MGR_DIFF_FILE
#update ldap olcdb
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f $TMP_MGR_DIFF_FILE
# On fedora we need to manually add cosine and inetorgperson schemas # On fedora we need to manually add cosine and inetorgperson schemas
if is_fedora || is_suse; then if is_fedora; then
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
fi fi
# add our top level ldap nodes rm -rf TMP_LDAP_DIR
if ldapsearch -x -w $LDAP_PASSWORD -H ldap://localhost -D dc=Manager,dc=openstack,dc=org -x -b dc=openstack,dc=org | grep -q "Success"; then
printf "LDAP already configured for OpenStack\n"
if [[ "$KEYSTONE_CLEAR_LDAP" == "yes" ]]; then
# clear LDAP state
clear_ldap_state
# reconfigure LDAP for OpenStack
ldapadd -c -x -H ldap://localhost -D dc=Manager,dc=openstack,dc=org -w $LDAP_PASSWORD -f $FILES/ldap/openstack.ldif
fi
else
printf "Configuring LDAP for OpenStack\n"
ldapadd -c -x -H ldap://localhost -D dc=Manager,dc=openstack,dc=org -w $LDAP_PASSWORD -f $FILES/ldap/openstack.ldif
fi
} }
# start_ldap() - Start LDAP # start_ldap() - Start LDAP
@ -78,7 +147,6 @@ function start_ldap() {
sudo service $LDAP_SERVICE_NAME restart sudo service $LDAP_SERVICE_NAME restart
} }
# stop_ldap() - Stop LDAP # stop_ldap() - Stop LDAP
function stop_ldap() { function stop_ldap() {
sudo service $LDAP_SERVICE_NAME stop sudo service $LDAP_SERVICE_NAME stop
@ -86,7 +154,7 @@ function stop_ldap() {
# clear_ldap_state() - Clear LDAP State # clear_ldap_state() - Clear LDAP State
function clear_ldap_state() { function clear_ldap_state() {
ldapdelete -x -w $LDAP_PASSWORD -H ldap://localhost -D dc=Manager,dc=openstack,dc=org -x -r "dc=openstack,dc=org" ldapdelete -x -w $LDAP_PASSWORD -D "$LDAP_MANAGER_DN" -H $LDAP_URL -r "$LDAP_BASE_DN"
} }
# Restore xtrace # Restore xtrace