type: string
description: Ingress URL
default: ""
- ldap_enabled:
- type: boolean
- description: Boolean to enable/disable LDAP authentication
- default: false
region_id:
type: string
description: Region ID to be created when starting the service
description: |
Project domain name (Hardcoded in the container start.sh script)
default: default
-
- # ENV LDAP_AUTHENTICATION_DOMAIN_NAME no default
- # ENV LDAP_URL ldap://localhost
- # ENV LDAP_BIND_USER no defauslt
- # ENV LDAP_BIND_PASSWORD no default
- # ENV LDAP_USER_TREE_DN no default
- # ENV LDAP_USER_OBJECTCLASS inetOrgPerson
- # ENV LDAP_USER_ID_ATTRIBUTE cn
- # ENV LDAP_USER_NAME_ATTRIBUTE sn
- # ENV LDAP_USER_PASS_ATTRIBUTE userPassword
- # ENV LDAP_USER_FILTER no default
- # ENV LDAP_USER_ENABLED_ATTRIBUTE enabled
- # ENV LDAP_USER_ENABLED_MASK 0
- # ENV LDAP_USER_ENABLED_DEFAULT true
- # ENV LDAP_USER_ENABLED_INVERT false
- # ENV LDAP_USE_STARTTLS false
- # ENV LDAP_TLS_CACERT_BASE64 no default
- # ENV LDAP_TLS_REQ_CERT demand
+ ldap_enabled:
+ type: boolean
+ description: Boolean to enable/disable LDAP authentication
+ default: false
+ ldap_authentication_domain_name:
+ type: string
+ description: Name of the domain which use LDAP authentication
+ default: ""
+ ldap_url:
+ type: string
+ description: URL of the LDAP server
+ default: "ldap://localhost"
+ ldap_bind_user:
+ type: string
+ description: User to bind and search for users
+ default: ""
+ ldap_bind_password:
+ type: string
+ description: Password to bind and search for users
+ default: ""
+ ldap_user_tree_dn:
+ type: string
+ description: |
+ Root of the tree in LDAP server in which Keystone will search for users
+ default: ""
+ ldap_user_objectclass:
+ type: string
+ description: |
+ LDAP object class that Keystone will filter on within user_tree_dn to
+ find user objects. Any objects of other classes will be ignored.
+ default: inetOrgPerson
+ ldap_user_id_attribute:
+ type: string
+ description: |
+ This set of options define the mapping to LDAP attributes for the three
+ key user attributes supported by Keystone. The LDAP attribute chosen for
+ user_id must be something that is immutable for a user and no more than
+ 64 characters in length. Notice that Distinguished Name (DN) may be
+ longer than 64 characters and thus is not suitable. An uid, or mail may
+ be appropriate.
+ default: cn
+ ldap_user_name_attribute:
+ type: string
+ description: |
+ This set of options define the mapping to LDAP attributes for the three
+ key user attributes supported by Keystone. The LDAP attribute chosen for
+ user_id must be something that is immutable for a user and no more than
+ 64 characters in length. Notice that Distinguished Name (DN) may be
+ longer than 64 characters and thus is not suitable. An uid, or mail may
+ be appropriate.
+ default: sn
+ ldap_user_pass_attribute:
+ type: string
+ description: |
+ This set of options define the mapping to LDAP attributes for the three
+ key user attributes supported by Keystone. The LDAP attribute chosen for
+ user_id must be something that is immutable for a user and no more than
+ 64 characters in length. Notice that Distinguished Name (DN) may be
+ longer than 64 characters and thus is not suitable. An uid, or mail may
+ be appropriate.
+ default: userPassword
+ ldap_user_filter:
+ type: string
+ description: |
+ This filter option allow additional filter (over and above
+ user_objectclass) to be included into the search of user. One common use
+ of this is to provide more efficient searching, where the recommended
+ search for user objects is (&(objectCategory=person)(objectClass=user)).
+ By specifying user_objectclass as user and user_filter as
+ objectCategory=person in the Keystone configuration file, this can be
+ achieved.
+ default: ""
+ ldap_user_enabled_attribute:
+ type: string
+ description: |
+ In Keystone, a user entity can be either enabled or disabled. Setting
+ the above option will give a mapping to an equivalent attribute in LDAP,
+ allowing your LDAP management tools to disable a user.
+ default: enabled
+ ldap_user_enabled_mask:
+ type: int
+ description: |
+ Some LDAP schemas, rather than having a dedicated attribute for user
+ enablement, use a bit within a general control attribute (such as
+ userAccountControl) to indicate this. Setting user_enabled_mask will
+ cause Keystone to look at only the status of this bit in the attribute
+ specified by user_enabled_attribute, with the bit set indicating the
+ user is enabled.
+ default: 0
+ ldap_user_enabled_default:
+ type: boolean
+ description: |
+ Most LDAP servers use a boolean or bit in a control field to indicate
+ enablement. However, some schemas might use an integer value in an
+ attribute. In this situation, set user_enabled_default to the integer
+ value that represents a user being enabled.
+ default: true
+ ldap_user_enabled_invert:
+ type: boolean
+ description: |
+ Some LDAP schemas have an “account locked” attribute, which is the
+ equivalent to account being “disabled.” In order to map this to the
+ Keystone enabled attribute, you can utilize the user_enabled_invert
+ setting in conjunction with user_enabled_attribute to map the lock
+ status to disabled in Keystone.
+ default: false
+ ldap_use_starttls:
+ type: boolean
+ description: |
+ Enable Transport Layer Security (TLS) for providing a secure connection
+ from Keystone to LDAP (StartTLS, not LDAPS).
+ default: false
+ ldap_tls_cacert_base64:
+ type: string
+ description: |
+ CA certificate in Base64 format (if you have the PEM file, text inside
+ "-----BEGIN CERTIFICATE-----"/"-----END CERTIFICATE-----" tags).
+ default: ""
+ ldap_tls_req_cert:
+ type: string
+ description: |
+ Defines how the certificates are checked for validity in the client
+ (i.e., Keystone end) of the secure connection (this doesn’t affect what
+ level of checking the server is doing on the certificates it receives
+ from Keystone). Possible values are "demand", "never", and "allow". The
+ default of demand means the client always checks the certificate and
+ will drop the connection if it is not provided or invalid. never is the
+ opposite—it never checks it, nor requires it to be provided. allow means
+ that if it is not provided then the connection is allowed to continue,
+ but if it is provided it will be checked—and if invalid, the connection
+ will be dropped.
+ default: demand
def _make_pod_envconfig(self):
config = self.model.config
- return {
+ envconfig = {
"DB_HOST": self.state.db_host,
"DB_PORT": self.state.db_port,
"ROOT_DB_USER": self.state.db_user,
"SERVICE_PROJECT": config["service_project"],
}
+ if config.get("ldap_enabled"):
+ envconfig["LDAP_AUTHENTICATION_DOMAIN_NAME"] = config[
+ "ldap_authentication_domain_name"
+ ]
+ envconfig["LDAP_URL"] = config["ldap_url"]
+ envconfig["LDAP_USER_OBJECTCLASS"] = config["ldap_user_objectclass"]
+ envconfig["LDAP_USER_ID_ATTRIBUTE"] = config["ldap_user_id_attribute"]
+ envconfig["LDAP_USER_NAME_ATTRIBUTE"] = config["ldap_user_name_attribute"]
+ envconfig["LDAP_USER_PASS_ATTRIBUTE"] = config["ldap_user_pass_attribute"]
+ envconfig["LDAP_USER_ENABLED_MASK"] = config["ldap_user_enabled_mask"]
+ envconfig["LDAP_USER_ENABLED_DEFAULT"] = config["ldap_user_enabled_default"]
+ envconfig["LDAP_USER_ENABLED_INVERT"] = config["ldap_user_enabled_invert"]
+
+ if config["ldap_bind_user"]:
+ envconfig["LDAP_BIND_USER"] = config["ldap_bind_user"]
+
+ if config["ldap_bind_password"]:
+ envconfig["LDAP_BIND_PASSWORD"] = config["ldap_bind_password"]
+
+ if config["ldap_user_tree_dn"]:
+ envconfig["LDAP_USER_TREE_DN"] = config["ldap_user_tree_dn"]
+
+ if config["ldap_user_filter"]:
+ envconfig["LDAP_USER_FILTER"] = config["ldap_user_filter"]
+
+ if config["ldap_user_enabled_attribute"]:
+ envconfig["LDAP_USER_ENABLED_ATTRIBUTE"] = config[
+ "ldap_user_enabled_attribute"
+ ]
+
+ if config["ldap_use_starttls"]:
+ envconfig["LDAP_USE_STARTTLS"] = config["ldap_use_starttls"]
+ envconfig["LDAP_TLS_CACERT_BASE64"] = config["ldap_tls_cacert_base64"]
+ envconfig["LDAP_TLS_REQ_CERT"] = config["ldap_tls_req_cert"]
+
+ return envconfig
+
def _make_pod_ingress_resources(self):
site_url = self.model.config["site_url"]
projects / osm / devops.git / commitdiff