Merge "Implement multi-domain LDAP configuration for Keystone"

doc/source/install-guide/configure-keystone.rst

@@ -17,38 +17,47 @@ options.
 
 .. _Securing services with SSL certificates: configure-sslcertificates.html
 
-Special considerations when using LDAP or AD backends
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+Implementing LDAP (or AD) Back-Ends
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-Configuring LDAP or Active Directory (AD) backends for keystone can make
-deployment easier, but there are special considerations for these types of
-deployments.
+In many environments there may already be a LDAP (or Active Directory) service
+available which already has Users, Groups and User-Group assignment data.
+Keystone can be configured to make use of the LDAP service using
+Domain-specific Back-End configuration.
 
-Creating users
-""""""""""""""
+While it is possible to set the Keystone Identity Back-End to use LDAP for
+the Default domain, this is not recommended. It is a better practice to use
+the Default domain for service accounts and to configure additional Domains
+for LDAP services which provide general User/Group data.
 
-During an OpenStack-Ansible deployment, the individual roles that deploy
-various OpenStack services will attempt to create users in keystone. For
-deployments where keystone uses LDAP as an authentication backend, these users
-must be created **prior** to the running the OpenStack-Ansible playbooks. The
-tasks for adding keystone users within individual role playbooks will be
-skipped.
+Example implementation in user_variables.yml:
 
-Stacked authentication
-""""""""""""""""""""""
+keystone_ldap:
+  Users:
+    url: "ldap://10.10.10.10"
+    user: "root"
+    password: "secrete"
+    ...
+  Admins:
+    url: "ldap://20.20.20.20"
+    user: "root"
+    password: "secrete"
+    ...
 
-Some deployers may prefer to use "stacked" authentication where some users
-exist in a SQL backend while other users exist in an LDAP or Active Directory
-(AD) backend. This can be useful for deploys who want to reduce the number of
-service accounts that must exist in LDAP or AD.
+This will place two configuration files into /etc/keystone/domains/, both of
+which will be configured to use the LDAP driver.
 
-For more details on stacked authentication, see `Matt Fischer's blog post`_ or
-review IBM's documentation titled `Configure OpenStack Keystone support for
-domain-specific corporate directories`_.
+ - keystone.Users.conf
+ - keystone.Admins.conf
 
-.. _Matt Fischer's blog post: http://www.mattfischer.com/blog/?p=576
-.. _Configure OpenStack Keystone support for domain-specific corporate directories: http://www.ibm.com/developerworks/cloud/library/cl-configure-keystone-ldap-and-active-directory/index.html
+Each first level key entry is a domain name. Each entry below that are
+key-value pairs for the 'ldap' section in the configuration file.
 
---------------
+More details regarding valid configuration for the LDAP Identity Back-End can
+be found in the `Keystone Developer Documentation`_ and the
+`OpenStack Admin Guide`_.
+
+.. _Keystone Developer Documentation: http://docs.openstack.org/developer/keystone/configuration.html#configuring-the-ldap-identity-provider
+.. _OpenStack Admin Guide: http://docs.openstack.org/admin-guide-cloud/keystone_integrate_identity_backend_ldap.html
 
 .. include:: navigation.txt

playbooks/inventory/group_vars/hosts.yml

@@ -87,7 +87,7 @@ dhcp_domain: openstacklocal
 #openstack_service_internaluri_proto: http
 
 ## LDAP enabled toggle
-service_ldap_backend_enabled: "{{ keystone_ldap is defined }}"
+service_ldap_backend_enabled: "{{ keystone_ldap is defined and keystone_ldap.Default is defined }}"
 
 
 ## Aodh

playbooks/roles/os_keystone/defaults/main.yml

@@ -165,22 +165,26 @@ keystone_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ inter
 # If set this will enable dog pile cache for keystone.
 # keystone_cache_backend_argument: url:127.0.0.1:11211
 
-## LDAP section
-# Define keystone ldap information here.
+## LDAP Section
+# Define Keystone LDAP domain configuration here.
+# This may be used to add configuration for a LDAP identity back-end.
 # See the http://docs.openstack.org/admin-guide-cloud/keystone_integrate_with_ldap.html
-# for more information on available options. The sections here are defined as key: value pairs. Each
-# top level key bellow ``keystone_ldap`` is a section.
+#
+# Each top-level entry is a domain name. Each entry below that are key: value pairs for
+# the ldap section in the domain-specific configuraiton file.
+#
 # (EXAMPLE LAYOUT)
 # keystone_ldap:
-#   ldap:
+#   Users:
 #     url: "ldap://127.0.0.1"
 #     user: "root"
 #     password: "secrete"
 #     ...
 
-keystone_ldap_identity_driver: ldap
+keystone_ldap: {}
 keystone_ldap_domain_config_dir: /etc/keystone/domains
 
+
 # If you want to regenerate the keystone users SSH keys, on each run, set this var to True
 # Otherwise keys will be generated on the first run and not regenerated each run.
 keystone_recreate_keys: False

playbooks/roles/os_keystone/tasks/keystone_ldap_setup.yml

@@ -0,0 +1,41 @@
+---
+# Copyright 2015, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+- name: Create Keystone LDAP domains
+  keystone:
+    command: ensure_domain
+    domain_name: "{{ item.key }}"
+    token: "{{ keystone_auth_admin_token }}"
+    endpoint: "{{ keystone_service_adminurl }}"
+    insecure: "{{ keystone_service_adminuri_insecure }}"
+  with_dict: keystone_ldap
+  run_once: true
+  tags:
+    - keystone-ldap-domain-create
+
+- name: Create Keystone LDAP domain configs
+  template:
+    src: keystone.domain.conf.j2
+    dest: "{{ keystone_ldap_domain_config_dir }}/keystone.{{ item.key }}.conf"
+    owner: "{{ keystone_system_user_name }}"
+    group: "{{ keystone_system_group_name }}"
+    mode: "0644"
+  with_dict: keystone_ldap
+  notify:
+    - Restart Apache
+  tags:
+    - keystone-ldap-domain-config
+

playbooks/roles/os_keystone/tasks/keystone_post_install.yml

@@ -27,10 +27,6 @@
       dest: "/etc/keystone/keystone.conf"
       config_overrides: "{{ keystone_keystone_conf_overrides }}"
       config_type: "ini"
-    - src: "keystone.Default.conf.j2"
-      dest: "{{ keystone_ldap_domain_config_dir }}/keystone.Default.conf"
-      config_overrides: "{{ keystone_keystone_default_conf_overrides }}"
-      config_type: "ini"
     - src: "keystone-paste.ini.j2"
       dest: "/etc/keystone/keystone-paste.ini"
       config_overrides: "{{ keystone_keystone_paste_ini_overrides }}"

playbooks/roles/os_keystone/tasks/main.yml

@@ -47,6 +47,11 @@
   when: >
     inventory_hostname == groups['keystone_all'][0]
 
+- include: keystone_ldap_setup.yml
+  tags:
+    - keystone-config
+    - keystone-ldap
+
 - include: keystone_federation_sp_idp_setup.yml
   when: >
     keystone_sp is defined and

playbooks/roles/os_keystone/templates/keystone.Default.conf.j2

@@ -1,12 +0,0 @@
-# LDAP configuration options
-{% if keystone_ldap is defined %}
-[identity]
-driver = {{ keystone_ldap_identity_driver }}
-
-{% for section in keystone_ldap|dictsort %}
-[{{ section.0 }}]
-{% for key, value in section.1.items() %}
-{{ key }} = {{ value }}
-{% endfor %}
-{% endfor %}
-{% endif %}

playbooks/roles/os_keystone/templates/keystone.conf.j2

@@ -64,8 +64,10 @@ max_active_keys = {{ keystone_fernet_tokens_max_active_keys }}
 
 
 [identity]
-driver = {{ keystone_identity_driver }}
-{% if keystone_ldap is defined and keystone_ldap.ldap %}
+{% if keystone_ldap.Default is not defined %}
+driver = sql
+{% endif %}
+{% if keystone_ldap | length > 0 %}
 domain_config_dir = {{ keystone_ldap_domain_config_dir }}
 domain_specific_drivers_enabled = True
 {% endif %}

playbooks/roles/os_keystone/templates/keystone.domain.conf.j2

@@ -0,0 +1,9 @@
+# {{ ansible_managed }}
+
+[identity]
+driver = ldap
+
+[ldap]
+{% for key, value in item.value | dictsort %}
+{{ key }} = {{ value }}
+{% endfor %}

releasenotes/notes/multiple-ldap-domains-f188f65678216587.yaml

@@ -0,0 +1,14 @@
+---
+features:
+ - Keystone can now be configured for multiple LDAP or Active Directory
+   identity back-ends. Configuration of this feature is documented in the
+   `Keystone Configuration <http://docs.openstack.org/developer/openstack-ansible/install-guide/configure-keystone.html>`_
+   section of the `Install Guide <http://docs.openstack.org/developer/openstack-ansible/install-guide/>`_.
+upgrade:
+ - The first tier of the ``keystone_ldap`` dictionary variable now relates to
+   the Keystone Domain name. An existing ``keystone_ldap`` configuration entry
+   can be converted by renaming the ``ldap`` key to the domain name 'Default'.
+   **Note** that the domain name entry is case-sensitive.
+ - The ``keystone_ldap_identity_driver`` variable has been removed. The driver
+   for an LDAP back-end in Keystone now simply uses the value 'ldap'. There
+   are no other back-end options for Keystone at this time.