freshen the LDAP support
* Build the base DN from a given domain name * Remove all hard-coded names to allow configuration of base DN * Fix manager DN (cn=Manager,dc=...) * Add ldap init_ldap() * Add support for clean.sh Change-Id: Ieb69be9740653645b8e000574ad3fe59a0f97540
This commit is contained in:
parent
298f7d4843
commit
b9e25135c5
6
clean.sh
6
clean.sh
@ -15,6 +15,8 @@ TOP_DIR=$(cd $(dirname "$0") && pwd)
|
|||||||
# Import common functions
|
# Import common functions
|
||||||
source $TOP_DIR/functions
|
source $TOP_DIR/functions
|
||||||
|
|
||||||
|
FILES=$TOP_DIR/files
|
||||||
|
|
||||||
# Load local configuration
|
# Load local configuration
|
||||||
source $TOP_DIR/stackrc
|
source $TOP_DIR/stackrc
|
||||||
|
|
||||||
@ -84,6 +86,10 @@ cleanup_nova
|
|||||||
cleanup_neutron
|
cleanup_neutron
|
||||||
cleanup_swift
|
cleanup_swift
|
||||||
|
|
||||||
|
if is_service_enabled ldap; then
|
||||||
|
cleanup_ldap
|
||||||
|
fi
|
||||||
|
|
||||||
# Do the hypervisor cleanup until this can be moved back into lib/nova
|
# Do the hypervisor cleanup until this can be moved back into lib/nova
|
||||||
if [[ -r $NOVA_PLUGINS/hypervisor-$VIRT_DRIVER ]]; then
|
if [[ -r $NOVA_PLUGINS/hypervisor-$VIRT_DRIVER ]]; then
|
||||||
cleanup_nova_hypervisor
|
cleanup_nova_hypervisor
|
||||||
|
@ -1,3 +1,3 @@
|
|||||||
ldap-utils
|
ldap-utils
|
||||||
slapd # NOPRIME
|
slapd
|
||||||
python-ldap
|
python-ldap
|
||||||
|
@ -1,26 +1,26 @@
|
|||||||
dn: dc=openstack,dc=org
|
dn: ${BASE_DN}
|
||||||
dc: openstack
|
|
||||||
objectClass: dcObject
|
objectClass: dcObject
|
||||||
objectClass: organizationalUnit
|
objectClass: organizationalUnit
|
||||||
ou: openstack
|
dc: ${BASE_DC}
|
||||||
|
ou: ${BASE_DC}
|
||||||
|
|
||||||
dn: ou=UserGroups,dc=openstack,dc=org
|
dn: ou=UserGroups,${BASE_DN}
|
||||||
objectClass: organizationalUnit
|
objectClass: organizationalUnit
|
||||||
ou: UserGroups
|
ou: UserGroups
|
||||||
|
|
||||||
dn: ou=Users,dc=openstack,dc=org
|
dn: ou=Users,${BASE_DN}
|
||||||
objectClass: organizationalUnit
|
objectClass: organizationalUnit
|
||||||
ou: Users
|
ou: Users
|
||||||
|
|
||||||
dn: ou=Roles,dc=openstack,dc=org
|
dn: ou=Roles,${BASE_DN}
|
||||||
objectClass: organizationalUnit
|
objectClass: organizationalUnit
|
||||||
ou: Roles
|
ou: Roles
|
||||||
|
|
||||||
dn: ou=Projects,dc=openstack,dc=org
|
dn: ou=Projects,${BASE_DN}
|
||||||
objectClass: organizationalUnit
|
objectClass: organizationalUnit
|
||||||
ou: Projects
|
ou: Projects
|
||||||
|
|
||||||
dn: cn=9fe2ff9ee4384b1894a90878d3e92bab,ou=Roles,dc=openstack,dc=org
|
dn: cn=9fe2ff9ee4384b1894a90878d3e92bab,ou=Roles,${BASE_DN}
|
||||||
objectClass: organizationalRole
|
objectClass: organizationalRole
|
||||||
ou: _member_
|
ou: _member_
|
||||||
cn: 9fe2ff9ee4384b1894a90878d3e92bab
|
cn: 9fe2ff9ee4384b1894a90878d3e92bab
|
@ -1,10 +1,15 @@
|
|||||||
dn: olcDatabase={${LDAP_OLCDB_NUMBER}}hdb,cn=config
|
dn: olcDatabase={${LDAP_OLCDB_NUMBER}}hdb,cn=config
|
||||||
changetype: modify
|
changetype: modify
|
||||||
replace: olcSuffix
|
replace: olcSuffix
|
||||||
olcSuffix: dc=openstack,dc=org
|
olcSuffix: ${BASE_DN}
|
||||||
-
|
-
|
||||||
replace: olcRootDN
|
replace: olcRootDN
|
||||||
olcRootDN: dc=Manager,dc=openstack,dc=org
|
olcRootDN: ${MANAGER_DN}
|
||||||
-
|
-
|
||||||
${LDAP_ROOTPW_COMMAND}: olcRootPW
|
${LDAP_ROOTPW_COMMAND}: olcRootPW
|
||||||
olcRootPW: ${SLAPPASS}
|
olcRootPW: ${SLAPPASS}
|
||||||
|
-
|
||||||
|
replace: olcDbIndex
|
||||||
|
olcDbIndex: objectClass eq
|
||||||
|
olcDbIndex: default pres,eq
|
||||||
|
olcDbIndex: cn,sn,givenName,co
|
||||||
|
@ -12,8 +12,10 @@ objectClass: olcSchemaConfig
|
|||||||
cn: schema
|
cn: schema
|
||||||
|
|
||||||
include: file:///etc/openldap/schema/core.ldif
|
include: file:///etc/openldap/schema/core.ldif
|
||||||
|
include: file:///etc/openldap/schema/cosine.ldif
|
||||||
|
include: file:///etc/openldap/schema/inetorgperson.ldif
|
||||||
|
|
||||||
dn: olcDatabase={1}hdb,cn=config
|
dn: olcDatabase={1}hdb,cn=config
|
||||||
objectClass: olcHdbConfig
|
objectClass: olcHdbConfig
|
||||||
olcDbDirectory: /var/lib/ldap
|
olcDbDirectory: /var/lib/ldap
|
||||||
olcSuffix: dc=openstack,dc=org
|
olcSuffix: ${BASE_DN}
|
14
lib/keystone
14
lib/keystone
@ -143,17 +143,17 @@ function configure_keystone() {
|
|||||||
|
|
||||||
if is_service_enabled ldap; then
|
if is_service_enabled ldap; then
|
||||||
#Set all needed ldap values
|
#Set all needed ldap values
|
||||||
iniset $KEYSTONE_CONF ldap password $LDAP_PASSWORD
|
iniset $KEYSTONE_CONF ldap password $LDAP_PASSWORD
|
||||||
iniset $KEYSTONE_CONF ldap user "dc=Manager,dc=openstack,dc=org"
|
iniset $KEYSTONE_CONF ldap user $LDAP_MANAGER_DN
|
||||||
iniset $KEYSTONE_CONF ldap suffix "dc=openstack,dc=org"
|
iniset $KEYSTONE_CONF ldap suffix $LDAP_BASE_DN
|
||||||
iniset $KEYSTONE_CONF ldap use_dumb_member "True"
|
iniset $KEYSTONE_CONF ldap use_dumb_member "True"
|
||||||
iniset $KEYSTONE_CONF ldap user_attribute_ignore "enabled,email,tenants,default_project_id"
|
iniset $KEYSTONE_CONF ldap user_attribute_ignore "enabled,email,tenants,default_project_id"
|
||||||
iniset $KEYSTONE_CONF ldap tenant_attribute_ignore "enabled"
|
iniset $KEYSTONE_CONF ldap tenant_attribute_ignore "enabled"
|
||||||
iniset $KEYSTONE_CONF ldap tenant_domain_id_attribute "businessCategory"
|
iniset $KEYSTONE_CONF ldap tenant_domain_id_attribute "businessCategory"
|
||||||
iniset $KEYSTONE_CONF ldap tenant_desc_attribute "description"
|
iniset $KEYSTONE_CONF ldap tenant_desc_attribute "description"
|
||||||
iniset $KEYSTONE_CONF ldap tenant_tree_dn "ou=Projects,dc=openstack,dc=org"
|
iniset $KEYSTONE_CONF ldap tenant_tree_dn "ou=Projects,$LDAP_BASE_DN"
|
||||||
iniset $KEYSTONE_CONF ldap user_domain_id_attribute "businessCategory"
|
iniset $KEYSTONE_CONF ldap user_domain_id_attribute "businessCategory"
|
||||||
iniset $KEYSTONE_CONF ldap user_tree_dn "ou=Users,dc=openstack,dc=org"
|
iniset $KEYSTONE_CONF ldap user_tree_dn "ou=Users,$LDAP_BASE_DN"
|
||||||
iniset $KEYSTONE_CONF DEFAULT member_role_id "9fe2ff9ee4384b1894a90878d3e92bab"
|
iniset $KEYSTONE_CONF DEFAULT member_role_id "9fe2ff9ee4384b1894a90878d3e92bab"
|
||||||
iniset $KEYSTONE_CONF DEFAULT member_role_name "_member_"
|
iniset $KEYSTONE_CONF DEFAULT member_role_name "_member_"
|
||||||
fi
|
fi
|
||||||
@ -320,6 +320,10 @@ create_keystone_accounts() {
|
|||||||
|
|
||||||
# init_keystone() - Initialize databases, etc.
|
# init_keystone() - Initialize databases, etc.
|
||||||
function init_keystone() {
|
function init_keystone() {
|
||||||
|
if is_service_enabled ldap; then
|
||||||
|
init_ldap
|
||||||
|
fi
|
||||||
|
|
||||||
# (Re)create keystone database
|
# (Re)create keystone database
|
||||||
recreate_database keystone utf8
|
recreate_database keystone utf8
|
||||||
|
|
||||||
|
146
lib/ldap
146
lib/ldap
@ -9,68 +9,137 @@
|
|||||||
XTRACE=$(set +o | grep xtrace)
|
XTRACE=$(set +o | grep xtrace)
|
||||||
set +o xtrace
|
set +o xtrace
|
||||||
|
|
||||||
|
|
||||||
|
LDAP_DOMAIN=${LDAP_DOMAIN:-openstack.org}
|
||||||
|
# Make an array of domain components
|
||||||
|
DC=(${LDAP_DOMAIN/./ })
|
||||||
|
|
||||||
|
# Leftmost domain component used in top-level entry
|
||||||
|
LDAP_BASE_DC=${DC[0]}
|
||||||
|
|
||||||
|
# Build the base DN
|
||||||
|
dn=""
|
||||||
|
for dc in ${DC[*]}; do
|
||||||
|
dn="$dn,dc=$dc"
|
||||||
|
done
|
||||||
|
LDAP_BASE_DN=${dn#,}
|
||||||
|
|
||||||
|
LDAP_MANAGER_DN="${LDAP_MANAGER_DN:-cn=Manager,${LDAP_BASE_DN}}"
|
||||||
|
LDAP_URL=${LDAP_URL:-ldap://localhost}
|
||||||
|
|
||||||
LDAP_SERVICE_NAME=slapd
|
LDAP_SERVICE_NAME=slapd
|
||||||
|
|
||||||
|
if is_ubuntu; then
|
||||||
|
LDAP_OLCDB_NUMBER=1
|
||||||
|
LDAP_ROOTPW_COMMAND=replace
|
||||||
|
elif is_fedora; then
|
||||||
|
LDAP_OLCDB_NUMBER=2
|
||||||
|
LDAP_ROOTPW_COMMAND=add
|
||||||
|
elif is_suse; then
|
||||||
|
# SUSE has slappasswd in /usr/sbin/
|
||||||
|
PATH=$PATH:/usr/sbin/
|
||||||
|
LDAP_OLCDB_NUMBER=1
|
||||||
|
LDAP_ROOTPW_COMMAND=add
|
||||||
|
LDAP_SERVICE_NAME=ldap
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
# Functions
|
# Functions
|
||||||
# ---------
|
# ---------
|
||||||
|
|
||||||
|
# Perform common variable substitutions on the data files
|
||||||
|
# _ldap_varsubst file
|
||||||
|
function _ldap_varsubst() {
|
||||||
|
local infile=$1
|
||||||
|
sed -e "
|
||||||
|
s|\${LDAP_OLCDB_NUMBER}|$LDAP_OLCDB_NUMBER|
|
||||||
|
s|\${SLAPPASS}|$SLAPPASS|
|
||||||
|
s|\${LDAP_ROOTPW_COMMAND}|$LDAP_ROOTPW_COMMAND|
|
||||||
|
s|\${BASE_DC}|$LDAP_BASE_DC|
|
||||||
|
s|\${BASE_DN}|$LDAP_BASE_DN|
|
||||||
|
s|\${MANAGER_DN}|$LDAP_MANAGER_DN|
|
||||||
|
" $infile
|
||||||
|
}
|
||||||
|
|
||||||
|
# clean_ldap() - Remove ldap server
|
||||||
|
function cleanup_ldap() {
|
||||||
|
uninstall_package $(get_packages ldap)
|
||||||
|
if is_ubuntu; then
|
||||||
|
uninstall_package slapd ldap-utils libslp1
|
||||||
|
sudo rm -rf /etc/ldap/ldap.conf /var/lib/ldap
|
||||||
|
elif is_fedora; then
|
||||||
|
sudo rm -rf /etc/openldap /var/lib/ldap
|
||||||
|
elif is_suse; then
|
||||||
|
sudo rm -rf /var/lib/ldap
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# init_ldap
|
||||||
|
# init_ldap() - Initialize databases, etc.
|
||||||
|
function init_ldap() {
|
||||||
|
local keystone_ldif
|
||||||
|
|
||||||
|
TMP_LDAP_DIR=$(mktemp -d -t ldap.$$.XXXXXXXXXX)
|
||||||
|
|
||||||
|
# Remove data but not schemas
|
||||||
|
clear_ldap_state
|
||||||
|
|
||||||
|
# Add our top level ldap nodes
|
||||||
|
if ldapsearch -x -w $LDAP_PASSWORD -D "$LDAP_MANAGER_DN" -H $LDAP_URL -b "$LDAP_BASE_DN" | grep -q "Success"; then
|
||||||
|
printf "LDAP already configured for $LDAP_BASE_DC\n"
|
||||||
|
else
|
||||||
|
printf "Configuring LDAP for $LDAP_BASE_DC\n"
|
||||||
|
# If BASE_DN is changed, the user may override the default file
|
||||||
|
if [[ -r $FILES/ldap/${LDAP_BASE_DC}.ldif.in ]]; then
|
||||||
|
keystone_ldif=${LDAP_BASE_DC}.ldif
|
||||||
|
else
|
||||||
|
keystone_ldif=keystone.ldif
|
||||||
|
fi
|
||||||
|
_ldap_varsubst $FILES/ldap/${keystone_ldif}.in >$TMP_LDAP_DIR/${keystone_ldif}
|
||||||
|
if [[ -r $TMP_LDAP_DIR/${keystone_ldif} ]]; then
|
||||||
|
ldapadd -x -w $LDAP_PASSWORD -D "$LDAP_MANAGER_DN" -H $LDAP_URL -c -f $TMP_LDAP_DIR/${keystone_ldif}
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
rm -rf TMP_LDAP_DIR
|
||||||
|
}
|
||||||
|
|
||||||
# install_ldap
|
# install_ldap
|
||||||
# install_ldap() - Collect source and prepare
|
# install_ldap() - Collect source and prepare
|
||||||
function install_ldap() {
|
function install_ldap() {
|
||||||
echo "Installing LDAP inside function"
|
echo "Installing LDAP inside function"
|
||||||
echo "LDAP_PASSWORD is $LDAP_PASSWORD"
|
|
||||||
echo "os_VENDOR is $os_VENDOR"
|
echo "os_VENDOR is $os_VENDOR"
|
||||||
printf "installing"
|
|
||||||
|
TMP_LDAP_DIR=$(mktemp -d -t ldap.$$.XXXXXXXXXX)
|
||||||
|
|
||||||
|
printf "installing OpenLDAP"
|
||||||
if is_ubuntu; then
|
if is_ubuntu; then
|
||||||
LDAP_OLCDB_NUMBER=1
|
# Ubuntu automatically starts LDAP so no need to call start_ldap()
|
||||||
LDAP_ROOTPW_COMMAND=replace
|
:
|
||||||
sudo DEBIAN_FRONTEND=noninteractive apt-get install slapd ldap-utils
|
|
||||||
#automatically starts LDAP on ubuntu so no need to call start_ldap
|
|
||||||
elif is_fedora; then
|
elif is_fedora; then
|
||||||
LDAP_OLCDB_NUMBER=2
|
|
||||||
LDAP_ROOTPW_COMMAND=add
|
|
||||||
start_ldap
|
start_ldap
|
||||||
elif is_suse; then
|
elif is_suse; then
|
||||||
LDAP_OLCDB_NUMBER=1
|
_ldap_varsubst $FILES/ldap/suse-base-config.ldif.in >$TMP_LDAP_DIR/suse-base-config.ldif
|
||||||
LDAP_ROOTPW_COMMAND=add
|
sudo slapadd -F /etc/openldap/slapd.d/ -bcn=config -l $TMP_LDAP_DIR/suse-base-config.ldif
|
||||||
LDAP_SERVICE_NAME=ldap
|
|
||||||
# SUSE has slappasswd in /usr/sbin/
|
|
||||||
PATH=$PATH:/usr/sbin/
|
|
||||||
sudo slapadd -F /etc/openldap/slapd.d/ -bcn=config -l $FILES/ldap/base-config.ldif
|
|
||||||
sudo sed -i '/^OPENLDAP_START_LDAPI=/s/"no"/"yes"/g' /etc/sysconfig/openldap
|
sudo sed -i '/^OPENLDAP_START_LDAPI=/s/"no"/"yes"/g' /etc/sysconfig/openldap
|
||||||
start_ldap
|
start_ldap
|
||||||
fi
|
fi
|
||||||
|
|
||||||
printf "generate password file"
|
echo "LDAP_PASSWORD is $LDAP_PASSWORD"
|
||||||
SLAPPASS=`slappasswd -s $LDAP_PASSWORD`
|
SLAPPASS=$(slappasswd -s $LDAP_PASSWORD)
|
||||||
|
printf "LDAP secret is $SLAPPASS\n"
|
||||||
|
|
||||||
printf "secret is $SLAPPASS\n"
|
# Create manager.ldif and add to olcdb
|
||||||
#create manager.ldif
|
_ldap_varsubst $FILES/ldap/manager.ldif.in >$TMP_LDAP_DIR/manager.ldif
|
||||||
TMP_MGR_DIFF_FILE=`mktemp -t manager_ldiff.$$.XXXXXXXXXX.ldif`
|
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f $TMP_LDAP_DIR/manager.ldif
|
||||||
sed -e "s|\${LDAP_OLCDB_NUMBER}|$LDAP_OLCDB_NUMBER|" -e "s|\${SLAPPASS}|$SLAPPASS|" -e "s|\${LDAP_ROOTPW_COMMAND}|$LDAP_ROOTPW_COMMAND|" $FILES/ldap/manager.ldif.in >> $TMP_MGR_DIFF_FILE
|
|
||||||
|
|
||||||
#update ldap olcdb
|
|
||||||
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f $TMP_MGR_DIFF_FILE
|
|
||||||
|
|
||||||
# On fedora we need to manually add cosine and inetorgperson schemas
|
# On fedora we need to manually add cosine and inetorgperson schemas
|
||||||
if is_fedora || is_suse; then
|
if is_fedora; then
|
||||||
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
|
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
|
||||||
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
|
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# add our top level ldap nodes
|
rm -rf TMP_LDAP_DIR
|
||||||
if ldapsearch -x -w $LDAP_PASSWORD -H ldap://localhost -D dc=Manager,dc=openstack,dc=org -x -b dc=openstack,dc=org | grep -q "Success"; then
|
|
||||||
printf "LDAP already configured for OpenStack\n"
|
|
||||||
if [[ "$KEYSTONE_CLEAR_LDAP" == "yes" ]]; then
|
|
||||||
# clear LDAP state
|
|
||||||
clear_ldap_state
|
|
||||||
# reconfigure LDAP for OpenStack
|
|
||||||
ldapadd -c -x -H ldap://localhost -D dc=Manager,dc=openstack,dc=org -w $LDAP_PASSWORD -f $FILES/ldap/openstack.ldif
|
|
||||||
fi
|
|
||||||
else
|
|
||||||
printf "Configuring LDAP for OpenStack\n"
|
|
||||||
ldapadd -c -x -H ldap://localhost -D dc=Manager,dc=openstack,dc=org -w $LDAP_PASSWORD -f $FILES/ldap/openstack.ldif
|
|
||||||
fi
|
|
||||||
}
|
}
|
||||||
|
|
||||||
# start_ldap() - Start LDAP
|
# start_ldap() - Start LDAP
|
||||||
@ -78,7 +147,6 @@ function start_ldap() {
|
|||||||
sudo service $LDAP_SERVICE_NAME restart
|
sudo service $LDAP_SERVICE_NAME restart
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
# stop_ldap() - Stop LDAP
|
# stop_ldap() - Stop LDAP
|
||||||
function stop_ldap() {
|
function stop_ldap() {
|
||||||
sudo service $LDAP_SERVICE_NAME stop
|
sudo service $LDAP_SERVICE_NAME stop
|
||||||
@ -86,7 +154,7 @@ function stop_ldap() {
|
|||||||
|
|
||||||
# clear_ldap_state() - Clear LDAP State
|
# clear_ldap_state() - Clear LDAP State
|
||||||
function clear_ldap_state() {
|
function clear_ldap_state() {
|
||||||
ldapdelete -x -w $LDAP_PASSWORD -H ldap://localhost -D dc=Manager,dc=openstack,dc=org -x -r "dc=openstack,dc=org"
|
ldapdelete -x -w $LDAP_PASSWORD -D "$LDAP_MANAGER_DN" -H $LDAP_URL -r "$LDAP_BASE_DN"
|
||||||
}
|
}
|
||||||
|
|
||||||
# Restore xtrace
|
# Restore xtrace
|
||||||
|
Loading…
Reference in New Issue
Block a user