From f79738cf1fc89c5018795a5b67f78433ba243cd5 Mon Sep 17 00:00:00 2001
From: Kevin Carter <kevin.carter@rackspace.com>
Date: Tue, 28 Apr 2015 12:53:45 -0500
Subject: [PATCH] Updated ldap config to support multi domain

Enables default domain support using ldap. This change moves the
ldap config to the default domain and enables domain specific
drivers.

Change-Id: I85f6610a25617fdea1fc216b53df0ab30260fed9
Cloes-Bug: 1447768
---
 playbooks/roles/os_keystone/defaults/main.yml      |  3 +++
 .../os_keystone/tasks/keystone_post_install.yml    |  1 +
 .../os_keystone/tasks/keystone_pre_install.yml     |  1 +
 .../os_keystone/templates/keystone.Default.conf.j2 | 12 ++++++++++++
 .../roles/os_keystone/templates/keystone.conf.j2   | 14 ++++----------
 5 files changed, 21 insertions(+), 10 deletions(-)
 create mode 100644 playbooks/roles/os_keystone/templates/keystone.Default.conf.j2

diff --git a/playbooks/roles/os_keystone/defaults/main.yml b/playbooks/roles/os_keystone/defaults/main.yml
index 2af0baafef..882383b581 100644
--- a/playbooks/roles/os_keystone/defaults/main.yml
+++ b/playbooks/roles/os_keystone/defaults/main.yml
@@ -134,6 +134,9 @@ keystone_ssl_cipher_suite: "{{ ssl_cipher_suite }}"
 #     password: "secrete"
 #     ...
 
+keystone_ldap_identity_driver: keystone.identity.backends.ldap.Identity
+keystone_ldap_domain_config_dir: /etc/keystone/domains
+
 ## Policy vars
 # Provide a list of access controls to update the default policy.json with. These changes will be merged
 # with the access controls in the default policy.json. E.g.
diff --git a/playbooks/roles/os_keystone/tasks/keystone_post_install.yml b/playbooks/roles/os_keystone/tasks/keystone_post_install.yml
index f25e0efdc5..09d07fa768 100644
--- a/playbooks/roles/os_keystone/tasks/keystone_post_install.yml
+++ b/playbooks/roles/os_keystone/tasks/keystone_post_install.yml
@@ -21,6 +21,7 @@
     group: "{{ keystone_system_group_name }}"
   with_items:
     - { src: "keystone.conf.j2", dest: "/etc/keystone/keystone.conf" }
+    - { src: "keystone.Default.conf.j2", dest: "{{ keystone_ldap_domain_config_dir }}/keystone.Default.conf" }
   notify:
     - Restart Apache
   tags:
diff --git a/playbooks/roles/os_keystone/tasks/keystone_pre_install.yml b/playbooks/roles/os_keystone/tasks/keystone_pre_install.yml
index 9c27804acd..d03248e1b1 100644
--- a/playbooks/roles/os_keystone/tasks/keystone_pre_install.yml
+++ b/playbooks/roles/os_keystone/tasks/keystone_pre_install.yml
@@ -41,6 +41,7 @@
     group: "{{ item.group|default(keystone_system_group_name) }}"
   with_items:
     - { path: "/etc/keystone" }
+    - { path: "{{ keystone_ldap_domain_config_dir }}" }
     - { path: "/etc/keystone/ssl" }
     - { path: "/etc/sudoers.d", mode: "0750", owner: "root", group: "root" }
     - { path: "{{ keystone_system_user_home }}" }
diff --git a/playbooks/roles/os_keystone/templates/keystone.Default.conf.j2 b/playbooks/roles/os_keystone/templates/keystone.Default.conf.j2
new file mode 100644
index 0000000000..96c62ee252
--- /dev/null
+++ b/playbooks/roles/os_keystone/templates/keystone.Default.conf.j2
@@ -0,0 +1,12 @@
+# LDAP configuration options
+{% if keystone_ldap is defined %}
+[identity]
+driver = {{ keystone_ldap_identity_driver }}
+
+{% for section in keystone_ldap|dictsort %}
+[{{ section.0 }}]
+{% for key, value in section.1.items() %}
+{{ key }} = {{ value }}
+{% endfor %}
+{% endfor %}
+{% endif %}
diff --git a/playbooks/roles/os_keystone/templates/keystone.conf.j2 b/playbooks/roles/os_keystone/templates/keystone.conf.j2
index 065e28e2c0..520e89095d 100644
--- a/playbooks/roles/os_keystone/templates/keystone.conf.j2
+++ b/playbooks/roles/os_keystone/templates/keystone.conf.j2
@@ -56,6 +56,10 @@ pool_timeout = {{ keystone_database_pool_timeout }}
 
 [identity]
 driver = {{ keystone_identity_driver }}
+{% if keystone_ldap is defined %}
+domain_config_dir = {{ keystone_ldap_domain_config_dir }}
+domain_specific_drivers_enabled = True
+{% endif %}
 
 
 [assignment]
@@ -68,16 +72,6 @@ caching = true
 driver = {{ keystone_resource_driver }}
 
 
-{% if keystone_ldap is defined %}
-{% for section in keystone_ldap|dictsort %}
-[{{ section.0 }}]
-{% for key, value in section.1.items() %}
-{{ key }} = {{ value }}
-{% endfor %}
-{% endfor %}
-{% endif %}
-
-
 [token]
 enforce_token_bind = permissive
 expiration = {{ keystone_token_expiration }}