]> git.donarmstrong.com Git - dsa-puppet.git/blob - 3rdparty/modules/keystone/examples/ldap_full.pp
projects / dsa-puppet.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
try with modules from master
[dsa-puppet.git] / 3rdparty / modules / keystone / examples / ldap_full.pp
1 # A full example from a real deployment that allows Keystone to modify
2 # everything except users, uses enabled_emulation, and ldaps
3
4 # Ensure this matches what is in LDAP or keystone will try to recreate
5 # the admin user
6 class { '::keystone::roles::admin':
7   email    => 'test@example.com',
8   password => 'ChangeMe',
9 }
10
11 # You can test this connection with ldapsearch first to ensure it works.
12 # LDAP configurations are *highly* dependent on your setup and this file
13 # will need to be tweaked. This sample talks to ldap.example.com, here is
14 # an example of ldapsearch that will search users on this box:
15 # ldapsearch -v -x -H 'ldap://example.com:389' -D \
16 # "uid=bind,cn=users,cn=accounts,dc=example,dc=com" -w SecretPass \
17 # -b cn=users,cn=accounts,dc=example,dc=com
18 class { '::keystone:ldap':
19   url                          => 'ldap://ldap.example.com:389',
20   user                         => 'uid=bind,cn=users,cn=accounts,dc=example,dc=com',
21   password                     => 'SecretPass',
22   suffix                       => 'dc=example,dc=com',
23   query_scope                  => 'sub',
24   user_tree_dn                 => 'cn=users,cn=accounts,dc=example,dc=com',
25   user_id_attribute            => 'uid',
26   user_name_attribute          => 'uid',
27   user_mail_attribute          => 'mail',
28   user_allow_create            => 'False',
29   user_allow_update            => 'False',
30   user_allow_delete            => 'False',
31   user_enabled_emulation       => 'True',
32   user_enabled_emulation_dn    => 'cn=openstack-enabled,cn=groups,cn=accounts,dc=example,dc=com',
33   group_tree_dn                => 'ou=groups,ou=openstack,dc=example,dc=com',
34   group_objectclass            => 'organizationalRole',
35   group_id_attribute           => 'cn',
36   group_name_attribute         => 'cn',
37   group_member_attribute       => 'RoleOccupant',
38   group_desc_attribute         => 'description',
39   group_allow_create           => 'True',
40   group_allow_update           => 'True',
41   group_allow_delete           => 'True',
42   project_tree_dn              => 'ou=projects,ou=openstack,dc=example,dc=com',
43   project_objectclass          => 'organizationalUnit',
44   project_id_attribute         => 'ou',
45   project_member_attribute     => 'member',
46   project_name_attribute       => 'ou',
47   project_desc_attribute       => 'description',
48   project_allow_create         => 'True',
49   project_allow_update         => 'True',
50   project_allow_delete         => 'True',
51   project_enabled_emulation    => 'True',
52   project_enabled_emulation_dn => 'cn=enabled,ou=openstack,dc=example,dc=com',
53   role_tree_dn                 => 'ou=roles,ou=openstack,dc=example,dc=com',
54   role_objectclass             => 'organizationalRole',
55   role_id_attribute            => 'cn',
56   role_name_attribute          => 'cn',
57   role_member_attribute        => 'roleOccupant',
58   role_allow_create            => 'True',
59   role_allow_update            => 'True',
60   role_allow_delete            => 'True',
61   identity_driver              => 'keystone.identity.backends.ldap.Identity',
62   assignment_driver            => 'keystone.assignment.backends.ldap.Assignment',
63   use_tls                      => 'True',
64   tls_cacertfile               => '/etc/ssl/certs/ca-certificates.crt',
65   tls_req_cert                 => 'demand',
66   use_pool                     => 'True',
67   use_auth_pool                => 'True',
68   pool_size                    => 5,
69   auth_pool_size               => 5,
70   pool_retry_max               => 3,
71   pool_connection_timeout      => 120,
72 }
Unnamed repository; edit this file 'description' to name the repository.