From 5a50a9c136a74ff53baa54032bcd479c194bf721 Mon Sep 17 00:00:00 2001 From: Gage Hugo Date: Thu, 5 Dec 2019 13:38:46 -0600 Subject: [PATCH] Map LDAP groups in keystone This change adds in the mapping for LDAP groups to be mapped to groups within keystone. Also adds a group list check to make sure that groups are correctly mapped. Change-Id: Ib3b00d3f801ba975202a921643510fcb642e0a90 --- keystone/values_overrides/ldap.yaml | 6 ++++++ tools/deployment/component/keystone/keystone.sh | 2 ++ 2 files changed, 8 insertions(+) diff --git a/keystone/values_overrides/ldap.yaml b/keystone/values_overrides/ldap.yaml index 8109017a37..510066ad3e 100644 --- a/keystone/values_overrides/ldap.yaml +++ b/keystone/values_overrides/ldap.yaml @@ -41,6 +41,12 @@ conf: user_mail_attribute: mail user_pass_attribute: userPassword group_tree_dn: "ou=Groups,dc=cluster,dc=local" + group_filter: "" + group_objectclass: posixGroup + group_id_attribute: cn + group_name_attribute: cn + group_desc_attribute: description + group_member_attribute: memberUID use_pool: true pool_size: 27 pool_retry_max: 3 diff --git a/tools/deployment/component/keystone/keystone.sh b/tools/deployment/component/keystone/keystone.sh index d376e9df9b..7c20f16d81 100755 --- a/tools/deployment/component/keystone/keystone.sh +++ b/tools/deployment/component/keystone/keystone.sh @@ -44,6 +44,8 @@ FEATURE_GATE="ldap"; if [[ ${FEATURE_GATES//,/ } =~ (^|[[:space:]])${FEATURE_GAT openstack user list openstack user list --domain ldapdomain + openstack group list --domain ldapdomain + openstack role add --user bob --project admin --user-domain ldapdomain --project-domain default admin domain="ldapdomain"