openstack/devstack
Code Issues Proposed changes

Add optional silent install and config of ldap to devstack

Browse Source 
Edited initial ldap entries and olcdb template file as recommended by Brant.

Change-Id: I1404cc5c754f878e32a2d10254840d092211e6e6
This commit is contained in:
Brad Topol 2013-01-22 10:17:50 -06:00
parent f3da41a5ee
commit f127e2f316
7 changed files with 141 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
files/apts/ldap Normal file
View File

@ -0,0 +1,3 @@
ldap-utils
slapd # NOPRIME
python-ldap

10
files/ldap/manager.ldif.in Normal file
View File

@ -0,0 +1,10 @@
dn: olcDatabase={${LDAP_OLCDB_NUMBER}}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=openstack,dc=org
-
replace: olcRootDN
olcRootDN: dc=Manager,dc=openstack,dc=org
-
${LDAP_ROOTPW_COMMAND}: olcRootPW
olcRootPW: ${SLAPPASS}

21
files/ldap/openstack.ldif Normal file
View File

@ -0,0 +1,21 @@
dn: dc=openstack,dc=org
dc: openstack
objectClass: dcObject
objectClass: organizationalUnit
ou: openstack
dn: ou=Groups,dc=openstack,dc=org
objectClass: organizationalUnit
ou: Groups
dn: ou=Users,dc=openstack,dc=org
objectClass: organizationalUnit
ou: Users
dn: ou=Roles,dc=openstack,dc=org
objectClass: organizationalUnit
ou: Roles
dn: ou=Projects,dc=openstack,dc=org
objectClass: organizationalUnit
ou: Projects

3
files/rpms/ldap Normal file
View File

@ -0,0 +1,3 @@
openldap-servers
openldap-clients
python-ldap

15
lib/keystone
View File

@ -94,6 +94,17 @@ function configure_keystone() {
local dburl
database_connection_url dburl keystone
if is_service_enabled ldap; then
#Set all needed ldap values
iniset $KEYSTONE_CONF ldap password $LDAP_PASSWORD
iniset $KEYSTONE_CONF ldap user "dc=Manager,dc=openstack,dc=org"
iniset $KEYSTONE_CONF ldap suffix "dc=openstack,dc=org"
fi
if [[ "$KEYSTONE_IDENTITY_BACKEND" == "ldap" ]]; then
iniset $KEYSTONE_CONF identity driver "keystone.identity.backends.ldap.Identity"
fi
if is_service_enabled tls-proxy; then
# Set the service ports for a proxy to take the originals
iniset $KEYSTONE_CONF DEFAULT public_port $KEYSTONE_SERVICE_PORT_INT
@ -283,6 +294,10 @@ function install_keystoneclient() {
# install_keystone() - Collect source and prepare
function install_keystone() {
# only install ldap if the service has been enabled
if is_service_enabled ldap; then
install_ldap
fi
git_clone $KEYSTONE_REPO $KEYSTONE_DIR $KEYSTONE_BRANCH
}

74
lib/ldap Normal file
View File

@ -0,0 +1,74 @@
# lib/ldap
# Functions to control the installation and configuration of **ldap**
# ``stack.sh`` calls the entry points in this order:
#
# Save trace setting
XTRACE=$(set +o | grep xtrace)
set +o xtrace
# install_ldap
# install_ldap() - Collect source and prepare
function install_ldap() {
echo "Installing LDAP inside function"
echo "LDAP_PASSWORD is $LDAP_PASSWORD"
echo "os_VENDOR is $os_VENDOR"
printf "installing"
if is_ubuntu; then
echo "os vendor is Ubuntu"
LDAP_OLCDB_NUMBER=1
LDAP_ROOTPW_COMMAND=replace
sudo DEBIAN_FRONTEND=noninteractive apt-get install slapd ldap-utils
#automatically starts LDAP on ubuntu so no need to call start_ldap
elif is_fedora; then
echo "os vendor is Fedora"
LDAP_OLCDB_NUMBER=2
LDAP_ROOTPW_COMMAND=add
start_ldap
fi
printf "generate password file"
SLAPPASS=`slappasswd -s $LDAP_PASSWORD`
printf "secret is $SLAPPASS\n"
#create manager.ldif
TMP_MGR_DIFF_FILE=`mktemp -t manager_ldiff.$$.XXXXXXXXXX.ldif`
sed -e "s|\${LDAP_OLCDB_NUMBER}|$LDAP_OLCDB_NUMBER|" -e "s|\${SLAPPASS}|$SLAPPASS|" -e "s|\${LDAP_ROOTPW_COMMAND}|$LDAP_ROOTPW_COMMAND|" $FILES/ldap/manager.ldif.in >> $TMP_MGR_DIFF_FILE
#update ldap olcdb
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f $TMP_MGR_DIFF_FILE
# add our top level ldap nodes
if ldapsearch -x -w $LDAP_PASSWORD -H ldap://localhost -D dc=Manager,dc=openstack,dc=org -x -b dc=openstack,dc=org | grep -q "Success" ; then
printf "LDAP already configured for OpenStack\n"
if [[ "$KEYSTONE_CLEAR_LDAP" == "yes" ]]; then
# clear LDAP state
clear_ldap_state
# reconfigure LDAP for OpenStack
ldapadd -c -x -H ldap://localhost -D dc=Manager,dc=openstack,dc=org -w $LDAP_PASSWORD -f $FILES/ldap/openstack.ldif
fi
else
printf "Configuring LDAP for OpenStack\n"
ldapadd -c -x -H ldap://localhost -D dc=Manager,dc=openstack,dc=org -w $LDAP_PASSWORD -f $FILES/ldap/openstack.ldif
fi
}
# start_ldap() - Start LDAP
function start_ldap() {
sudo service slapd restart
}
# stop_ldap() - Stop LDAP
function stop_ldap() {
sudo service slapd stop
}
# clear_ldap_state() - Clear LDAP State
function clear_ldap_state() {
ldapdelete -x -w $LDAP_PASSWORD -H ldap://localhost -D dc=Manager,dc=openstack,dc=org -x -r "dc=openstack,dc=org"
}
# Restore xtrace
$XTRACE

15
stack.sh
View File

@ -306,6 +306,7 @@ source $TOP_DIR/lib/ceilometer
source $TOP_DIR/lib/heat
source $TOP_DIR/lib/quantum
source $TOP_DIR/lib/baremetal
source $TOP_DIR/lib/ldap
# Set the destination directories for OpenStack projects
HORIZON_DIR=$DEST/horizon
@ -475,6 +476,20 @@ read_password SERVICE_TOKEN "ENTER A SERVICE_TOKEN TO USE FOR THE SERVICE ADMIN
read_password SERVICE_PASSWORD "ENTER A SERVICE_PASSWORD TO USE FOR THE SERVICE AUTHENTICATION."
# Horizon currently truncates usernames and passwords at 20 characters
read_password ADMIN_PASSWORD "ENTER A PASSWORD TO USE FOR HORIZON AND KEYSTONE (20 CHARS OR LESS)."
# Keystone can now optionally install OpenLDAP by adding ldap to the list
# of enabled services in the localrc file (e.g. ENABLED_SERVICES=key,ldap).
# If OpenLDAP has already been installed but you need to clear out
# the Keystone contents of LDAP set KEYSTONE_CLEAR_LDAP to yes
# (e.g. KEYSTONE_CLEAR_LDAP=yes ) in the localrc file. To enable the
# Keystone Identity Driver (keystone.identity.backends.ldap.Identity)
# set KEYSTONE_IDENTITY_BACKEND to ldap (e.g. KEYSTONE_IDENTITY_BACKEND=ldap)
# in the localrc file.
# only request ldap password if the service is enabled
if is_service_enabled ldap; then
read_password LDAP_PASSWORD "ENTER A PASSWORD TO USE FOR LDAP"
fi
# Set the tenant for service accounts in Keystone
SERVICE_TENANT_NAME=${SERVICE_TENANT_NAME:-service}