Bug 1172310
Summary: | support Keystone LDAP | ||
---|---|---|---|
Product: | [Community] RDO | Reporter: | Rich Megginson <rmeggins> |
Component: | openstack-packstack | Assignee: | Ivan Chavero <ichavero> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Shai Revivo <srevivo> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | trunk | CC: | adahms, aortega, chris.brown, derekh, dnavale, gchamoul, ichavero, jschluet, mmagr, nbarcet, nkinder, rmeggins, srevivo |
Target Milestone: | --- | Keywords: | FutureFeature |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Enhancement | |
Doc Text: |
With this update, support for LDAP identity back ends for Keystone has been added. Several new parameters are now available:
CONFIG_KEYSTONE_IDENTITY_BACKEND
CONFIG_KEYSTONE_LDAP_URL CONFIG_KEYSTONE_LDAP_USER_DN
CONFIG_KEYSTONE_LDAP_USER_PASSWORD
CONFIG_KEYSTONE_LDAP_SUFFIX
CONFIG_KEYSTONE_LDAP_QUERY_SCOPE
CONFIG_KEYSTONE_LDAP_PAGE_SIZE
CONFIG_KEYSTONE_LDAP_USER_SUBTREE
CONFIG_KEYSTONE_LDAP_USER_FILTER
CONFIG_KEYSTONE_LDAP_USER_OBJECTCLASS
CONFIG_KEYSTONE_LDAP_USER_ID_ATTRIBUTE
CONFIG_KEYSTONE_LDAP_USER_NAME_ATTRIBUTE
CONFIG_KEYSTONE_LDAP_USER_MAIL_ATTRIBUTE
CONFIG_KEYSTONE_LDAP_USER_ENABLED_ATTRIBUTE
CONFIG_KEYSTONE_LDAP_USER_ENABLED_MASK
CONFIG_KEYSTONE_LDAP_USER_ENABLED_DEFAULT
CONFIG_KEYSTONE_LDAP_USER_ENABLED_INVERT
CONFIG_KEYSTONE_LDAP_USER_ATTRIBUTE_IGNORE
CONFIG_KEYSTONE_LDAP_USER_DEFAULT_PROJECT_ID_ATTRIBUTE
CONFIG_KEYSTONE_LDAP_USER_ALLOW_CREATE
CONFIG_KEYSTONE_LDAP_USER_ALLOW_UPDATE
CONFIG_KEYSTONE_LDAP_USER_ALLOW_DELETE
CONFIG_KEYSTONE_LDAP_USER_PASS_ATTRIBUTE
CONFIG_KEYSTONE_LDAP_USER_ENABLED_EMULATION_DN
CONFIG_KEYSTONE_LDAP_USER_ADDITIONAL_ATTRIBUTE_MAPPING
CONFIG_KEYSTONE_LDAP_GROUP_SUBTREE
CONFIG_KEYSTONE_LDAP_GROUP_FILTER
CONFIG_KEYSTONE_LDAP_GROUP_OBJECTCLASS
CONFIG_KEYSTONE_LDAP_GROUP_ID_ATTRIBUTE
CONFIG_KEYSTONE_LDAP_GROUP_NAME_ATTRIBUTE
CONFIG_KEYSTONE_LDAP_GROUP_MEMBER_ATTRIBUTE
CONFIG_KEYSTONE_LDAP_GROUP_DESC_ATTRIBUTE
CONFIG_KEYSTONE_LDAP_GROUP_ATTRIBUTE_IGNORE
CONFIG_KEYSTONE_LDAP_GROUP_ALLOW_CREATE
CONFIG_KEYSTONE_LDAP_GROUP_ALLOW_UPDATE
CONFIG_KEYSTONE_LDAP_GROUP_ALLOW_DELETE
CONFIG_KEYSTONE_LDAP_GROUP_ADDITIONAL_ATTRIBUTE_MAPPING
CONFIG_KEYSTONE_LDAP_USE_TLS
CONFIG_KEYSTONE_LDAP_TLS_CACERTDIR
CONFIG_KEYSTONE_LDAP_TLS_CACERTFILE
CONFIG_KEYSTONE_LDAP_TLS_REQ_CERT
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2017-06-18 06:08:57 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1082729, 1187706, 1205768, 1205781, 1205966 | ||
Bug Blocks: |
Description
Rich Megginson
2014-12-09 20:00:53 UTC
The bugs are fixed upstream in master. For the puppet-keystone bug 1391373, the backport review to juno needs approval, and we need to get another openstack-puppet-modules build with this fix in it for RHOS6. For the packstack bug 1383793, do we need to backport that fix to juno? This is fixed upstream - see https://bugzilla.redhat.com/show_bug.cgi?id=1082729 Can this bug be moved to POST? Fix merged in packstack/master: - https://review.openstack.org/#/c/129989/ And this patch has been backported into Packstack/Juno: - https://review.openstack.org/#/c/159121/ from the code review in the reference bz, can you give a config snippet example of the following: Each component that uses apache must call "include packstack::apache_common". This ensures that a subsequent component manifest will not wipe out apache configuration created by a previous component manifest or the initial apache configuration created by prescript.pp. please indicate parameters/examples for testing past this entry in the answer file: [general] CONFIG_KEYSTONE_SERVICE_NAME=httpd Thanks. (In reply to Mike Abrams from comment #8) > from the code review in the reference bz, can you give a config snippet > example of the following: > > Each component that uses apache > must call "include packstack::apache_common". This ensures that > a subsequent component manifest will not wipe out apache > configuration created by a previous component manifest or the initial > apache configuration created by prescript.pp. > > please indicate parameters/examples for testing past this entry in the > answer file: > > [general] > CONFIG_KEYSTONE_SERVICE_NAME=httpd > > Thanks. The comment was really meant as a note to future packstack coders who write packstack puppet modules. There really isn't anything you need to do when running packstack, no extra command line options or answer file directives. If you wanted to see the examples in the actual puppet code: https://github.com/stackforge/packstack/blob/master/packstack/puppet/templates/keystone.pp#L22 https://github.com/stackforge/packstack/blob/master/packstack/puppet/templates/horizon.pp#L1 https://github.com/stackforge/packstack/blob/master/packstack/puppet/templates/nagios_server.pp#L1 PASSED. --- added [general] CONFIG_KEYSTONE_SERVICE_NAME=httpd to packstack answer file. tested service with ps filtering for keystone (runs in httpd, not in keystone service) tested functionality using keystone sanity. This was not properly verified. I think Rich's comment in comment#9 was misinterpreted as a description of how to verify this issue, when it was really just a response to the question in comment#9. To test this, you need to set the CONFIG_KEYSTONE_LDAP_* options in a packstack answer file to allow packstack to configure Keystone to use an LDAP server. The new settings are documented in comments if you have packstack generate an answerfile. The concepts map directly to keystone LDAP configuration settings, so they should make sense to one familiar with configuring keystone for LDAP in previous releases. Putting this back ON_QA so verification can be completed. Still unstable upstream. In read write setup, i don't get the problem. Can you confirm this? right now: puppet-neutron and puppet-cinder don't support keystone v3, this has to be added to the modules for this bug to be fixed. (In reply to Ivan Chavero from comment #19) > In read write setup, i don't get the problem. Can you confirm this? Read-write setup is working for you? That's good. We also need read-only LDAP to work. (In reply to Ivan Chavero from comment #21) > right now: puppet-neutron and puppet-cinder don't support keystone v3, this > has to be added to the modules for this bug to be fixed. I don't think it is necessary for all modules to support keystone v3 in order to support Keystone LDAP. Clearing stale NEEDINFO flags. Packstack support v3 since a while back so this can be closed now. |