Map LDAP groups in keystone

This change adds in the mapping for LDAP groups to be mapped to groups within keystone. Also adds a group list check to make sure that groups are correctly mapped. Change-Id: Ib3b00d3f801ba975202a921643510fcb642e0a90
2019-12-05 13:38:46 -06:00 · 2019-12-05 13:38:46 -06:00 · 5a50a9c136
commit 5a50a9c136
parent 040e6aa23a
2 changed files with 8 additions and 0 deletions
--- a/keystone/values_overrides/ldap.yaml
+++ b/keystone/values_overrides/ldap.yaml
@ -41,6 +41,12 @@ conf:
        user_mail_attribute: mail
        user_pass_attribute: userPassword
        group_tree_dn: "ou=Groups,dc=cluster,dc=local"
+        group_filter: ""
+        group_objectclass: posixGroup
+        group_id_attribute: cn
+        group_name_attribute: cn
+        group_desc_attribute: description
+        group_member_attribute: memberUID
        use_pool: true
        pool_size: 27
        pool_retry_max: 3
--- a/tools/deployment/component/keystone/keystone.sh
+++ b/tools/deployment/component/keystone/keystone.sh
@ -44,6 +44,8 @@ FEATURE_GATE="ldap"; if [[ ${FEATURE_GATES//,/ } =~ (^|[[:space:]])${FEATURE_GAT
  openstack user list
  openstack user list --domain ldapdomain

+  openstack group list --domain ldapdomain
+
  openstack role add --user bob --project admin --user-domain ldapdomain --project-domain default admin

  domain="ldapdomain"