Skip to content
Snippets Groups Projects
Commit 126a443a authored by sousaedu's avatar sousaedu
Browse files

Adding LDAP support for Keystone charm


Change-Id: Ic07622ef2332943479d1e9212f9d968ba6554ead
Signed-off-by: default avatarsousaedu <eduardo.sousa@canonical.com>
parent 68faf8d3
No related branches found
No related tags found
No related merge requests found
......@@ -61,7 +61,7 @@ ENV SERVICE_PROJECT service
# ldap
# ENV LDAP_AUTHENTICATION_DOMAIN_NAME no default
# ENV LDAP_URL ldap://localhost
# ENV LDAP_BIND_USER no defauslt
# ENV LDAP_BIND_USER no default
# ENV LDAP_BIND_PASSWORD no default
# ENV LDAP_USER_TREE_DN no default
# ENV LDAP_USER_OBJECTCLASS inetOrgPerson
......
#!/bin/bash
# Copyright 2020 Canonical Ltd.
#
# Licensed under the Apache License, Version 2.0 (the "License");
......@@ -11,8 +12,9 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#!/bin/bash
set -eux
function build() {
cd $1 && tox -e build && cd ..
}
......
......@@ -52,10 +52,6 @@ options:
type: string
description: Ingress URL
default: ""
ldap_enabled:
type: boolean
description: Boolean to enable/disable LDAP authentication
default: false
region_id:
type: string
description: Region ID to be created when starting the service
......@@ -97,21 +93,135 @@ options:
description: |
Project domain name (Hardcoded in the container start.sh script)
default: default
# ENV LDAP_AUTHENTICATION_DOMAIN_NAME no default
# ENV LDAP_URL ldap://localhost
# ENV LDAP_BIND_USER no defauslt
# ENV LDAP_BIND_PASSWORD no default
# ENV LDAP_USER_TREE_DN no default
# ENV LDAP_USER_OBJECTCLASS inetOrgPerson
# ENV LDAP_USER_ID_ATTRIBUTE cn
# ENV LDAP_USER_NAME_ATTRIBUTE sn
# ENV LDAP_USER_PASS_ATTRIBUTE userPassword
# ENV LDAP_USER_FILTER no default
# ENV LDAP_USER_ENABLED_ATTRIBUTE enabled
# ENV LDAP_USER_ENABLED_MASK 0
# ENV LDAP_USER_ENABLED_DEFAULT true
# ENV LDAP_USER_ENABLED_INVERT false
# ENV LDAP_USE_STARTTLS false
# ENV LDAP_TLS_CACERT_BASE64 no default
# ENV LDAP_TLS_REQ_CERT demand
ldap_enabled:
type: boolean
description: Boolean to enable/disable LDAP authentication
default: false
ldap_authentication_domain_name:
type: string
description: Name of the domain which use LDAP authentication
default: ""
ldap_url:
type: string
description: URL of the LDAP server
default: "ldap://localhost"
ldap_bind_user:
type: string
description: User to bind and search for users
default: ""
ldap_bind_password:
type: string
description: Password to bind and search for users
default: ""
ldap_user_tree_dn:
type: string
description: |
Root of the tree in LDAP server in which Keystone will search for users
default: ""
ldap_user_objectclass:
type: string
description: |
LDAP object class that Keystone will filter on within user_tree_dn to
find user objects. Any objects of other classes will be ignored.
default: inetOrgPerson
ldap_user_id_attribute:
type: string
description: |
This set of options define the mapping to LDAP attributes for the three
key user attributes supported by Keystone. The LDAP attribute chosen for
user_id must be something that is immutable for a user and no more than
64 characters in length. Notice that Distinguished Name (DN) may be
longer than 64 characters and thus is not suitable. An uid, or mail may
be appropriate.
default: cn
ldap_user_name_attribute:
type: string
description: |
This set of options define the mapping to LDAP attributes for the three
key user attributes supported by Keystone. The LDAP attribute chosen for
user_id must be something that is immutable for a user and no more than
64 characters in length. Notice that Distinguished Name (DN) may be
longer than 64 characters and thus is not suitable. An uid, or mail may
be appropriate.
default: sn
ldap_user_pass_attribute:
type: string
description: |
This set of options define the mapping to LDAP attributes for the three
key user attributes supported by Keystone. The LDAP attribute chosen for
user_id must be something that is immutable for a user and no more than
64 characters in length. Notice that Distinguished Name (DN) may be
longer than 64 characters and thus is not suitable. An uid, or mail may
be appropriate.
default: userPassword
ldap_user_filter:
type: string
description: |
This filter option allow additional filter (over and above
user_objectclass) to be included into the search of user. One common use
of this is to provide more efficient searching, where the recommended
search for user objects is (&(objectCategory=person)(objectClass=user)).
By specifying user_objectclass as user and user_filter as
objectCategory=person in the Keystone configuration file, this can be
achieved.
default: ""
ldap_user_enabled_attribute:
type: string
description: |
In Keystone, a user entity can be either enabled or disabled. Setting
the above option will give a mapping to an equivalent attribute in LDAP,
allowing your LDAP management tools to disable a user.
default: enabled
ldap_user_enabled_mask:
type: int
description: |
Some LDAP schemas, rather than having a dedicated attribute for user
enablement, use a bit within a general control attribute (such as
userAccountControl) to indicate this. Setting user_enabled_mask will
cause Keystone to look at only the status of this bit in the attribute
specified by user_enabled_attribute, with the bit set indicating the
user is enabled.
default: 0
ldap_user_enabled_default:
type: boolean
description: |
Most LDAP servers use a boolean or bit in a control field to indicate
enablement. However, some schemas might use an integer value in an
attribute. In this situation, set user_enabled_default to the integer
value that represents a user being enabled.
default: true
ldap_user_enabled_invert:
type: boolean
description: |
Some LDAP schemas have an “account locked” attribute, which is the
equivalent to account being “disabled.” In order to map this to the
Keystone enabled attribute, you can utilize the user_enabled_invert
setting in conjunction with user_enabled_attribute to map the lock
status to disabled in Keystone.
default: false
ldap_use_starttls:
type: boolean
description: |
Enable Transport Layer Security (TLS) for providing a secure connection
from Keystone to LDAP (StartTLS, not LDAPS).
default: false
ldap_tls_cacert_base64:
type: string
description: |
CA certificate in Base64 format (if you have the PEM file, text inside
"-----BEGIN CERTIFICATE-----"/"-----END CERTIFICATE-----" tags).
default: ""
ldap_tls_req_cert:
type: string
description: |
Defines how the certificates are checked for validity in the client
(i.e., Keystone end) of the secure connection (this doesn’t affect what
level of checking the server is doing on the certificates it receives
from Keystone). Possible values are "demand", "never", and "allow". The
default of demand means the client always checks the certificate and
will drop the connection if it is not provided or invalid. never is the
opposite—it never checks it, nor requires it to be provided. allow means
that if it is not provided then the connection is allowed to continue,
but if it is provided it will be checked—and if invalid, the connection
will be dropped.
default: demand
......@@ -14,7 +14,7 @@
name: keystone
summary: A Keystone K8s charm
description: |
Transmission
A CAAS charm to deploy Keystone
series:
- kubernetes
min-juju-version: 2.8.0
......
......@@ -123,7 +123,7 @@ class KeystoneCharm(CharmBase):
def _make_pod_envconfig(self):
config = self.model.config
return {
envconfig = {
"DB_HOST": self.state.db_host,
"DB_PORT": self.state.db_port,
"ROOT_DB_USER": self.state.db_user,
......@@ -139,6 +139,43 @@ class KeystoneCharm(CharmBase):
"SERVICE_PROJECT": config["service_project"],
}
if config.get("ldap_enabled"):
envconfig["LDAP_AUTHENTICATION_DOMAIN_NAME"] = config[
"ldap_authentication_domain_name"
]
envconfig["LDAP_URL"] = config["ldap_url"]
envconfig["LDAP_USER_OBJECTCLASS"] = config["ldap_user_objectclass"]
envconfig["LDAP_USER_ID_ATTRIBUTE"] = config["ldap_user_id_attribute"]
envconfig["LDAP_USER_NAME_ATTRIBUTE"] = config["ldap_user_name_attribute"]
envconfig["LDAP_USER_PASS_ATTRIBUTE"] = config["ldap_user_pass_attribute"]
envconfig["LDAP_USER_ENABLED_MASK"] = config["ldap_user_enabled_mask"]
envconfig["LDAP_USER_ENABLED_DEFAULT"] = config["ldap_user_enabled_default"]
envconfig["LDAP_USER_ENABLED_INVERT"] = config["ldap_user_enabled_invert"]
if config["ldap_bind_user"]:
envconfig["LDAP_BIND_USER"] = config["ldap_bind_user"]
if config["ldap_bind_password"]:
envconfig["LDAP_BIND_PASSWORD"] = config["ldap_bind_password"]
if config["ldap_user_tree_dn"]:
envconfig["LDAP_USER_TREE_DN"] = config["ldap_user_tree_dn"]
if config["ldap_user_filter"]:
envconfig["LDAP_USER_FILTER"] = config["ldap_user_filter"]
if config["ldap_user_enabled_attribute"]:
envconfig["LDAP_USER_ENABLED_ATTRIBUTE"] = config[
"ldap_user_enabled_attribute"
]
if config["ldap_use_starttls"]:
envconfig["LDAP_USE_STARTTLS"] = config["ldap_use_starttls"]
envconfig["LDAP_TLS_CACERT_BASE64"] = config["ldap_tls_cacert_base64"]
envconfig["LDAP_TLS_REQ_CERT"] = config["ldap_tls_req_cert"]
return envconfig
def _make_pod_ingress_resources(self):
site_url = self.model.config["site_url"]
......
#!/bin/bash
# Copyright 2020 Canonical Ltd.
#
# Licensed under the Apache License, Version 2.0 (the "License");
......@@ -11,8 +12,9 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#!/bin/bash
set -eux
function lint() {
cd $1
tox -e lint
......@@ -25,3 +27,6 @@ lint 'nbi-k8s'
lint 'pol-k8s'
lint 'ro-k8s'
lint 'ui-k8s'
lint 'keystone'
lint 'ng-ui'
lint 'pla'
\ No newline at end of file
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment