+# == class: keystone::ldap
#
# Implements ldap configuration for keystone.
#
+# === parameters:
+#
+# [*url*]
+# URL for connecting to the LDAP server. (string value)
+# Defaults to 'undef'
+#
+# [*user*]
+# User BindDN to query the LDAP server. (string value)
+# Defaults to 'undef'
+#
+# [*password*]
+# Password for the BindDN to query the LDAP server. (string value)
+# Defaults to 'undef'
+#
+# [*suffix*]
+# LDAP server suffix (string value)
+# Defaults to 'undef'
+#
+# [*query_scope*]
+# The LDAP scope for queries, this can be either "one"
+# (onelevel/singleLevel) or "sub" (subtree/wholeSubtree). (string value)
+# Defaults to 'undef'
+#
+# [*page_size*]
+# Maximum results per page; a value of zero ("0") disables paging. (integer value)
+# Defaults to 'undef'
+#
+# [*user_tree_dn*]
+# Search base for users. (string value)
+# Defaults to 'undef'
+#
+# [*user_filter*]
+# LDAP search filter for users. (string value)
+# Defaults to 'undef'
+#
+# [*user_objectclass*]
+# LDAP objectclass for users. (string value)
+# Defaults to 'undef'
+#
+# [*user_id_attribute*]
+# LDAP attribute mapped to user id. WARNING: must not be a multivalued attribute. (string value)
+# Defaults to 'undef'
+#
+# [*user_name_attribute*]
+# LDAP attribute mapped to user name. (string value)
+# Defaults to 'undef'
+#
+# [*user_mail_attribute*]
+# LDAP attribute mapped to user email. (string value)
+#
+# [*user_enabled_attribute*]
+# LDAP attribute mapped to user enabled flag. (string value)
+# Defaults to 'undef'
+#
+# [*user_enabled_mask*]
+# Bitmask integer to indicate the bit that the enabled value is stored in if
+# the LDAP server represents "enabled" as a bit on an integer rather than a
+# boolean. A value of "0" indicates the mask is not used. If this is not set
+# to "0" the typical value is "2". This is typically used when
+# "user_enabled_attribute = userAccountControl". (integer value)
+# Defaults to 'undef'
+#
+# [*user_enabled_default*]
+# Default value to enable users. This should match an appropriate int value
+# if the LDAP server uses non-boolean (bitmask) values to indicate if a user
+# is enabled or disabled. If this is not set to "True" the typical value is
+# "512". This is typically used when "user_enabled_attribute =
+# userAccountControl". (string value)
+# Defaults to 'undef'
+#
+# [*user_enabled_invert*]
+# Invert the meaning of the boolean enabled values. Some LDAP servers use a
+# boolean lock attribute where "true" means an account is disabled. Setting
+# "user_enabled_invert = true" will allow these lock attributes to be used.
+# This setting will have no effect if "user_enabled_mask" or
+# "user_enabled_emulation" settings are in use. (boolean value)
+# Defaults to 'undef'
+#
+# [*user_attribute_ignore*]
+# List of attributes stripped off the user on update. (list value)
+# Defaults to 'undef'
+#
+# [*user_default_project_id_attribute*]
+# LDAP attribute mapped to default_project_id for users. (string value)
+# Defaults to 'undef'
+#
+# [*user_allow_create*]
+# Allow user creation in LDAP backend. (boolean value)
+# Defaults to 'undef'
+#
+# [*user_allow_update*]
+# Allow user updates in LDAP backend. (boolean value)
+# Defaults to 'undef'
+#
+# [*user_allow_delete*]
+# Allow user deletion in LDAP backend. (boolean value)
+# Defaults to 'undef'
+#
+# [*user_pass_attribute*]
+# LDAP attribute mapped to password. (string value)
+# Defaults to 'undef'
+#
+# [*user_enabled_emulation*]
+# If true, Keystone uses an alternative method to determine if
+# a user is enabled or not by checking if they are a member of
+# the "user_enabled_emulation_dn" group. (boolean value)
+# Defaults to 'undef'
+#
+# [*user_enabled_emulation_dn*]
+# DN of the group entry to hold enabled users when using enabled emulation.
+# (string value)
+# Defaults to 'undef'
+#
+# [*user_additional_attribute_mapping*]
+# List of additional LDAP attributes used for mapping
+# additional attribute mappings for users. Attribute mapping
+# format is <ldap_attr>:<user_attr>, where ldap_attr is the
+# attribute in the LDAP entry and user_attr is the Identity
+# API attribute. (list value)
+# Defaults to 'undef'
+#
+# [*project_tree_dn*]
+# Search base for projects (string value)
+# Defaults to 'undef'
+#
+# [*project_filter*]
+# LDAP search filter for projects. (string value)
+# Defaults to 'undef'
+#
+# [*project_objectclass*]
+# LDAP objectclass for projects. (string value)
+# Defaults to 'undef'
+#
+# [*project_id_attribute*]
+# LDAP attribute mapped to project id. (string value)
+# Defaults to 'undef'
+#
+# [*project_member_attribute*]
+# LDAP attribute mapped to project membership for user. (string value)
+# Defaults to 'undef'
+#
+# [*project_name_attribute*]
+# LDAP attribute mapped to project name. (string value)
+# Defaults to 'undef'
+#
+# [*project_desc_attribute*]
+# LDAP attribute mapped to project description. (string value)
+# Defaults to 'undef'
+#
+# [*project_enabled_attribute*]
+# LDAP attribute mapped to project enabled. (string value)
+# Defaults to 'undef'
+#
+# [*project_domain_id_attribute*]
+# LDAP attribute mapped to project domain_id. (string value)
+# Defaults to 'undef'
+#
+# [*project_attribute_ignore*]
+# List of attributes stripped off the project on update. (list value)
+# Defaults to 'undef'
+#
+# [*project_allow_create*]
+# Allow project creation in LDAP backend. (boolean value)
+# Defaults to 'undef'
+#
+# [*project_allow_update*]
+# Allow project update in LDAP backend. (boolean value)
+# Defaults to 'undef'
+#
+# [*project_allow_delete*]
+# Allow project deletion in LDAP backend. (boolean value)
+# Defaults to 'undef'
+#
+# [*project_enabled_emulation*]
+# If true, Keystone uses an alternative method to determine if
+# a project is enabled or not by checking if they are a member
+# of the "project_enabled_emulation_dn" group. (boolean value)
+# Defaults to 'undef'
+#
+# [*project_enabled_emulation_dn*]
+# DN of the group entry to hold enabled projects when using
+# enabled emulation. (string value)
+# Defaults to 'undef'
+#
+# [*project_additional_attribute_mapping*]
+# Additional attribute mappings for projects. Attribute
+# mapping format is <ldap_attr>:<user_attr>, where ldap_attr
+# is the attribute in the LDAP entry and user_attr is the
+# Identity API attribute. (list value)
+# Defaults to 'undef'
+#
+# [*role_tree_dn*]
+# Search base for roles. (string value)
+# Defaults to 'undef'
+#
+# [*role_filter*]
+# LDAP search filter for roles. (string value)
+# Defaults to 'undef'
+#
+# [*role_objectclass*]
+# LDAP objectclass for roles. (string value)
+# Defaults to 'undef'
+#
+# [*role_id_attribute*]
+# LDAP attribute mapped to role id. (string value)
+# Defaults to 'undef'
+#
+# [*role_name_attribute*]
+# LDAP attribute mapped to role name. (string value)
+# Defaults to 'undef'
+#
+# [*role_member_attribute*]
+# LDAP attribute mapped to role membership. (string value)
+# Defaults to 'undef'
+#
+# [*role_attribute_ignore*]
+# List of attributes stripped off the role on update. (list value)
+# Defaults to 'undef'
+#
+# [*role_allow_create*]
+# Allow role creation in LDAP backend. (boolean value)
+# Defaults to 'undef'
+#
+# [*role_allow_update*]
+# Allow role update in LDAP backend. (boolean value)
+# Defaults to 'undef'
+#
+# [*role_allow_delete*]
+# Allow role deletion in LDAP backend. (boolean value)
+# Defaults to 'undef'
+#
+# [*role_additional_attribute_mapping*]
+# Additional attribute mappings for roles. Attribute mapping
+# format is <ldap_attr>:<user_attr>, where ldap_attr is the
+# attribute in the LDAP entry and user_attr is the Identity
+# API attribute. (list value)
+# Defaults to 'undef'
+#
+# [*group_tree_dn*]
+# Search base for groups. (string value)
+# Defaults to 'undef'
+#
+# [*group_filter*]
+# LDAP search filter for groups. (string value)
+# Defaults to 'undef'
+#
+# [*group_objectclass*]
+# LDAP objectclass for groups. (string value)
+# Defaults to 'undef'
+#
+# [*group_id_attribute*]
+# LDAP attribute mapped to group id. (string value)
+# Defaults to 'undef'
+#
+# [*group_name_attribute*]
+# LDAP attribute mapped to group name. (string value)
+# Defaults to 'undef'
+#
+# [*group_member_attribute*]
+# LDAP attribute mapped to show group membership. (string value)
+# Defaults to 'undef'
+#
+# [*group_desc_attribute*]
+# LDAP attribute mapped to group description. (string value)
+# Defaults to 'undef'
+#
+# [*group_attribute_ignore*]
+# List of attributes stripped off the group on update. (list value)
+# Defaults to 'undef'
+#
+# [*group_allow_create*]
+# Allow group creation in LDAP backend. (boolean value)
+# Defaults to 'undef'
+#
+# [*group_allow_update*]
+# Allow group update in LDAP backend. (boolean value)
+# Defaults to 'undef'
+#
+# [*group_allow_delete*]
+# Allow group deletion in LDAP backend. (boolean value)
+# Defaults to 'undef'
+#
+# [*group_additional_attribute_mapping*]
+# Additional attribute mappings for groups. Attribute mapping
+# format is <ldap_attr>:<user_attr>, where ldap_attr is the
+# attribute in the LDAP entry and user_attr is the Identity
+# API attribute. (list value)
+# Defaults to 'undef'
+#
+# [*use_tls*]
+# Enable TLS for communicating with LDAP servers. (boolean value)
+# Defaults to 'undef'
+#
+# [*tls_cacertfile*]
+# CA certificate file path for communicating with LDAP servers. (string value)
+# Defaults to 'undef'
+#
+# [*tls_cacertdir*]
+# CA certificate directory path for communicating with LDAP servers. (string value)
+# Defaults to 'undef'
+#
+# [*tls_req_cert*]
+# Valid options for tls_req_cert are demand, never, and allow. (string value)
+# Defaults to 'undef'
+#
+# [*identity_driver*]
+# Identity backend driver. (string value)
+# Defaults to 'undef'
+#
+# [*credential_driver*]
+# Credential backend driver. (string value)
+# Defaults to 'undef'
+#
+# [*assignment_driver*]
+# Assignment backend driver. (string value)
+# Defaults to 'undef'
+#
+# [*use_pool*]
+# Enable LDAP connection pooling. (boolean value)
+# Defaults to false
+#
+# [*pool_size*]
+# Connection pool size. (integer value)
+# Defaults to '10'
+#
+# [*pool_retry_max*]
+# Maximum count of reconnect trials. (integer value)
+# Defaults to '3'
+#
+# [*pool_retry_delay*]
+# Time span in seconds to wait between two reconnect trials. (floating point value)
+# Defaults to '0.1'
+#
+# [*pool_connection_timeout*]
+# Connector timeout in seconds. Value -1 indicates indefinite wait for response. (integer value)
+# Defaults to '-1'
+#
+# [*pool_connection_lifetime*]
+# Connection lifetime in seconds. (integer value)
+# Defaults to '600'
+#
+# [*use_auth_pool*]
+# Enable LDAP connection pooling for end user authentication.
+# If use_pool is disabled, then this setting is meaningless and is not used at all. (boolean value)
+# Defaults to false
+#
+# [*auth_pool_size*]
+# End user auth connection pool size. (integer value)
+# Defaults to '100'
+#
+# [*auth_pool_connection_lifetime*]
+# End user auth connection lifetime in seconds. (integer value)
+# Defaults to '60'
+#
+# === DEPRECATED group/name
+#
+# [*tenant_tree_dn*]
+# [*tenant_filter*]
+# [*tenant_objectclass*]
+# [*tenant_id_attribute*]
+# [*tenant_member_attribute*]
+# [*tenant_name_attribute*]
+# [*tenant_desc_attribute*]
+# [*tenant_enabled_attribute*]
+# [*tenant_domain_id_attribute*]
+# [*tenant_attribute_ignore*]
+# [*tenant_allow_create*]
+# [*tenant_allow_update*]
+# [*tenant_enabled_emulation*]
+# [*tenant_enabled_emulation_dn*]
+# [*tenant_additional_attribute_mapping*]
+# [*tenant_allow_delete*]
+#
# == Dependencies
# == Examples
# == Authors
$tls_req_cert = undef,
$identity_driver = undef,
$assignment_driver = undef,
+ $credential_driver = undef,
$use_pool = false,
$pool_size = 10,
$pool_retry_max = 3,
}
}
+ if ($credential_driver != undef) {
+ if ! ($credential_driver =~ /^keystone.credential.backends.*Credential$/) {
+ fail('credential driver should be of the form \'keystone.credential.backends.*Credential\'')
+ }
+ }
+
if ($tls_cacertdir != undef) {
file { $tls_cacertdir:
ensure => directory
'ldap/auth_pool_size': value => $auth_pool_size;
'ldap/auth_pool_connection_lifetime': value => $auth_pool_connection_lifetime;
'identity/driver': value => $identity_driver;
+ 'credential/driver': value => $credential_driver;
'assignment/driver': value => $assignment_driver;
}
}