]> git.donarmstrong.com Git - dsa-puppet.git/blob - 3rdparty/modules/keystone/manifests/ldap.pp
projects / dsa-puppet.git / blob
? search:


96ec8cd0a7a58f1c453dc902325fb3cdf6ac84cf
[dsa-puppet.git] / 3rdparty / modules / keystone / manifests / ldap.pp
1 #
2 # Implements ldap configuration for keystone.
3 #
4 # == Dependencies
5 # == Examples
6 # == Authors
7 #
8 #   Dan Bode dan@puppetlabs.com
9 #   Matt Fischer matt.fischer@twcable.com
10 #
11 # == Copyright
12 #
13 # Copyright 2012 Puppetlabs Inc, unless otherwise noted.
14 #
15 class keystone::ldap(
16   $url                                 = undef,
17   $user                                = undef,
18   $password                            = undef,
19   $suffix                              = undef,
20   $query_scope                         = undef,
21   $page_size                           = undef,
22   $user_tree_dn                        = undef,
23   $user_filter                         = undef,
24   $user_objectclass                    = undef,
25   $user_id_attribute                   = undef,
26   $user_name_attribute                 = undef,
27   $user_mail_attribute                 = undef,
28   $user_enabled_attribute              = undef,
29   $user_enabled_mask                   = undef,
30   $user_enabled_default                = undef,
31   $user_enabled_invert                 = undef,
32   $user_attribute_ignore               = undef,
33   $user_default_project_id_attribute   = undef,
34   $user_allow_create                   = undef,
35   $user_allow_update                   = undef,
36   $user_allow_delete                   = undef,
37   $user_pass_attribute                 = undef,
38   $user_enabled_emulation              = undef,
39   $user_enabled_emulation_dn           = undef,
40   $user_additional_attribute_mapping   = undef,
41   $tenant_tree_dn                      = undef,   #DEPRECATED
42   $project_tree_dn                     = undef,
43   $tenant_filter                       = undef,   #DEPRECATED
44   $project_filter                      = undef,
45   $tenant_objectclass                  = undef,   #DEPRECATED
46   $project_objectclass                 = undef,
47   $tenant_id_attribute                 = undef,   #DEPRECATED
48   $project_id_attribute                = undef,
49   $tenant_member_attribute             = undef,   #DEPRECATED
50   $project_member_attribute            = undef,
51   $tenant_desc_attribute               = undef,   #DEPRECATED
52   $project_desc_attribute              = undef,
53   $tenant_name_attribute               = undef,   #DEPRECATED
54   $project_name_attribute              = undef,
55   $tenant_enabled_attribute            = undef,   #DEPRECATED
56   $project_enabled_attribute           = undef,
57   $tenant_domain_id_attribute          = undef,   #DEPRECATED
58   $project_domain_id_attribute         = undef,
59   $tenant_attribute_ignore             = undef,   #DEPRECATED
60   $project_attribute_ignore            = undef,
61   $tenant_allow_create                 = undef,   #DEPRECATED
62   $project_allow_create                = undef,
63   $tenant_allow_update                 = undef,   #DEPRECATED
64   $project_allow_update                = undef,
65   $tenant_allow_delete                 = undef,   #DEPRECATED
66   $project_allow_delete                = undef,
67   $tenant_enabled_emulation            = undef,   #DEPRECATED
68   $project_enabled_emulation           = undef,
69   $tenant_enabled_emulation_dn         = undef,   #DEPRECATED
70   $project_enabled_emulation_dn        = undef,
71   $tenant_additional_attribute_mapping = undef,   #DEPRECATED
72   $project_additional_attribute_mapping= undef,
73   $role_tree_dn                        = undef,
74   $role_filter                         = undef,
75   $role_objectclass                    = undef,
76   $role_id_attribute                   = undef,
77   $role_name_attribute                 = undef,
78   $role_member_attribute               = undef,
79   $role_attribute_ignore               = undef,
80   $role_allow_create                   = undef,
81   $role_allow_update                   = undef,
82   $role_allow_delete                   = undef,
83   $role_additional_attribute_mapping   = undef,
84   $group_tree_dn                       = undef,
85   $group_filter                        = undef,
86   $group_objectclass                   = undef,
87   $group_id_attribute                  = undef,
88   $group_name_attribute                = undef,
89   $group_member_attribute              = undef,
90   $group_desc_attribute                = undef,
91   $group_attribute_ignore              = undef,
92   $group_allow_create                  = undef,
93   $group_allow_update                  = undef,
94   $group_allow_delete                  = undef,
95   $group_additional_attribute_mapping  = undef,
96   $use_tls                             = undef,
97   $tls_cacertdir                       = undef,
98   $tls_cacertfile                      = undef,
99   $tls_req_cert                        = undef,
100   $identity_driver                     = undef,
101   $assignment_driver                   = undef,
102   $use_pool                            = false,
103   $pool_size                           = 10,
104   $pool_retry_max                      = 3,
105   $pool_retry_delay                    = 0.1,
106   $pool_connection_timeout             = -1,
107   $pool_connection_lifetime            = 600,
108   $use_auth_pool                       = false,
109   $auth_pool_size                      = 100,
110   $auth_pool_connection_lifetime       = 60,
111 ) {
112
113   # In Juno the term "tenant" was deprecated in the config in favor of "project"
114   # Let's assume project_ is being used and warning otherwise. If both are set we will
115   # fail, because having both set may cause unexpected results in Keystone.
116   if ($tenant_tree_dn) {
117     $project_tree_dn_real = $tenant_tree_dn
118     warning ('tenant_tree_dn is deprecated in Juno. switch to project_tree_dn')
119     if ($project_tree_dn) {
120       fail ('tenant_tree_dn and project_tree_dn are both set. results may be unexpected')
121     }
122   }
123   else {
124     $project_tree_dn_real = $project_tree_dn
125   }
126
127   if ($tenant_filter) {
128     $project_filter_real = $tenant_filter
129     warning ('tenant_filter is deprecated in Juno. switch to project_filter')
130     if ($project_filter) {
131       fail ('tenant_filter and project_filter are both set. results may be unexpected')
132     }
133   }
134   else {
135     $project_filter_real = $project_filter
136   }
137
138   if ($tenant_objectclass) {
139     $project_objectclass_real = $tenant_objectclass
140     warning ('tenant_objectclass is deprecated in Juno. switch to project_objectclass')
141     if ($project_objectclass) {
142       fail ('tenant_objectclass and project_objectclass are both set. results may be unexpected')
143     }
144   }
145   else {
146     $project_objectclass_real = $project_objectclass
147   }
148
149   if ($tenant_id_attribute) {
150     $project_id_attribute_real = $tenant_id_attribute
151     warning ('tenant_id_attribute is deprecated in Juno. switch to project_id_attribute')
152     if ($project_id_attribute) {
153       fail ('tenant_id_attribute and project_id_attribute are both set. results may be unexpected')
154     }
155   }
156   else {
157     $project_id_attribute_real = $project_id_attribute
158   }
159
160   if ($tenant_member_attribute) {
161     $project_member_attribute_real = $tenant_member_attribute
162     warning ('tenant_member_attribute is deprecated in Juno. switch to project_member_attribute')
163     if ($project_member_attribute) {
164       fail ('tenant_member_attribute and project_member_attribute are both set. results may be unexpected')
165     }
166   }
167   else {
168     $project_member_attribute_real = $project_member_attribute
169   }
170
171   if ($tenant_desc_attribute) {
172     $project_desc_attribute_real = $tenant_desc_attribute
173     warning ('tenant_desc_attribute is deprecated in Juno. switch to project_desc_attribute')
174     if ($project_desc_attribute) {
175       fail ('tenant_desc_attribute and project_desc_attribute are both set. results may be unexpected')
176     }
177   }
178   else {
179     $project_desc_attribute_real = $project_desc_attribute
180   }
181
182   if ($tenant_name_attribute) {
183     $project_name_attribute_real = $tenant_name_attribute
184     warning ('tenant_name_attribute is deprecated in Juno. switch to project_name_attribute')
185     if ($project_name_attribute) {
186       fail ('tenant_name_attribute and project_name_attribute are both set. results may be unexpected')
187     }
188   }
189   else {
190     $project_name_attribute_real = $project_name_attribute
191   }
192
193   if ($tenant_enabled_attribute) {
194     $project_enabled_attribute_real = $tenant_enabled_attribute
195     warning ('tenant_enabled_attribute is deprecated in Juno. switch to project_enabled_attribute')
196     if ($project_enabled_attribute) {
197       fail ('tenant_enabled_attribute and project_enabled_attribute are both set. results may be unexpected')
198     }
199   }
200   else {
201     $project_enabled_attribute_real = $project_enabled_attribute
202   }
203
204   if ($tenant_attribute_ignore) {
205     $project_attribute_ignore_real = $tenant_attribute_ignore
206     warning ('tenant_attribute_ignore is deprecated in Juno. switch to project_attribute_ignore')
207     if ($project_attribute_ignore) {
208       fail ('tenant_attribute_ignore and project_attribute_ignore are both set. results may be unexpected')
209     }
210   }
211   else {
212     $project_attribute_ignore_real = $project_attribute_ignore
213   }
214
215   if ($tenant_domain_id_attribute) {
216     $project_domain_id_attribute_real = $tenant_domain_id_attribute
217     warning ('tenant_domain_id_attribute is deprecated in Juno. switch to project_domain_id_attribute')
218     if ($project_domain_id_attribute) {
219       fail ('tenant_domain_id_attribute and project_domain_id_attribute are both set. results may be unexpected')
220     }
221   }
222   else {
223     $project_domain_id_attribute_real = $project_domain_id_attribute
224   }
225
226   if ($tenant_allow_create) {
227     $project_allow_create_real = $tenant_allow_create
228     warning ('tenant_allow_create is deprecated in Juno. switch to project_allow_create')
229     if ($project_allow_create) {
230       fail ('tenant_allow_create and project_allow_create are both set. results may be unexpected')
231     }
232   }
233   else {
234     $project_allow_create_real = $project_allow_create
235   }
236
237   if ($tenant_allow_update) {
238     $project_allow_update_real = $tenant_allow_update
239     warning ('tenant_allow_update is deprecated in Juno. switch to project_allow_update')
240     if ($project_allow_update) {
241       fail ('tenant_allow_update and project_allow_update are both set. results may be unexpected')
242     }
243   }
244   else {
245     $project_allow_update_real = $project_allow_update
246   }
247
248   if ($tenant_allow_delete) {
249     $project_allow_delete_real = $tenant_allow_delete
250     warning ('tenant_allow_delete is deprecated in Juno. switch to project_allow_delete')
251     if ($project_allow_delete) {
252       fail ('tenant_allow_delete and project_allow_delete are both set. results may be unexpected')
253     }
254   }
255   else {
256     $project_allow_delete_real = $project_allow_delete
257   }
258
259   if ($tenant_enabled_emulation) {
260     $project_enabled_emulation_real = $tenant_enabled_emulation
261     warning ('tenant_enabled_emulation is deprecated in Juno. switch to project_enabled_emulation')
262     if ($project_enabled_emulation) {
263       fail ('tenant_enabled_emulation and project_enabled_emulation are both set. results may be unexpected')
264     }
265   }
266   else {
267     $project_enabled_emulation_real = $project_enabled_emulation
268   }
269
270   if ($tenant_enabled_emulation_dn) {
271     $project_enabled_emulation_dn_real = $tenant_enabled_emulation_dn
272     warning ('tenant_enabled_emulation_dn is deprecated in Juno. switch to project_enabled_emulation_dn')
273     if ($project_enabled_emulation_dn) {
274       fail ('tenant_enabled_emulation_dn and project_enabled_emulation_dn are both set. results may be unexpected')
275     }
276   }
277   else {
278     $project_enabled_emulation_dn_real = $project_enabled_emulation_dn
279   }
280
281   if ($tenant_additional_attribute_mapping) {
282     $project_additional_attribute_mapping_real = $tenant_additional_attribute_mapping
283     warning ('tenant_additional_attribute_mapping is deprecated in Juno. switch to project_additional_attribute_mapping')
284     if ($project_additional_attribute_mapping) {
285       fail ('tenant_additional_attribute_mapping and project_additional_attribute_mapping are both set. results may be unexpected')
286     }
287   }
288   else {
289     $project_additional_attribute_mapping_real = $project_additional_attribute_mapping
290   }
291
292   $ldap_packages = ['python-ldap', 'python-ldappool']
293   package { $ldap_packages:
294       ensure => present,
295   }
296
297   # check for some common driver name mistakes
298   if ($assignment_driver != undef) {
299       if ! ($assignment_driver =~ /^keystone.assignment.backends.*Assignment$/) {
300           fail('assigment driver should be of the form \'keystone.assignment.backends.*Assignment\'')
301       }
302   }
303
304   if ($identity_driver != undef) {
305       if ! ($identity_driver =~ /^keystone.identity.backends.*Identity$/) {
306           fail('identity driver should be of the form \'keystone.identity.backends.*Identity\'')
307       }
308   }
309
310   if ($tls_cacertdir != undef) {
311     file { $tls_cacertdir:
312       ensure => directory
313     }
314   }
315
316   keystone_config {
317     'ldap/url':                                  value => $url;
318     'ldap/user':                                 value => $user;
319     'ldap/password':                             value => $password, secret => true;
320     'ldap/suffix':                               value => $suffix;
321     'ldap/query_scope':                          value => $query_scope;
322     'ldap/page_size':                            value => $page_size;
323     'ldap/user_tree_dn':                         value => $user_tree_dn;
324     'ldap/user_filter':                          value => $user_filter;
325     'ldap/user_objectclass':                     value => $user_objectclass;
326     'ldap/user_id_attribute':                    value => $user_id_attribute;
327     'ldap/user_name_attribute':                  value => $user_name_attribute;
328     'ldap/user_mail_attribute':                  value => $user_mail_attribute;
329     'ldap/user_enabled_attribute':               value => $user_enabled_attribute;
330     'ldap/user_enabled_mask':                    value => $user_enabled_mask;
331     'ldap/user_enabled_default':                 value => $user_enabled_default;
332     'ldap/user_enabled_invert':                  value => $user_enabled_invert;
333     'ldap/user_attribute_ignore':                value => $user_attribute_ignore;
334     'ldap/user_default_project_id_attribute':    value => $user_default_project_id_attribute;
335     'ldap/user_allow_create':                    value => $user_allow_create;
336     'ldap/user_allow_update':                    value => $user_allow_update;
337     'ldap/user_allow_delete':                    value => $user_allow_delete;
338     'ldap/user_pass_attribute':                  value => $user_pass_attribute;
339     'ldap/user_enabled_emulation':               value => $user_enabled_emulation;
340     'ldap/user_enabled_emulation_dn':            value => $user_enabled_emulation_dn;
341     'ldap/user_additional_attribute_mapping':    value => $user_additional_attribute_mapping;
342     'ldap/project_tree_dn':                      value => $project_tree_dn_real;
343     'ldap/project_filter':                       value => $project_filter_real;
344     'ldap/project_objectclass':                  value => $project_objectclass_real;
345     'ldap/project_id_attribute':                 value => $project_id_attribute_real;
346     'ldap/project_member_attribute':             value => $project_member_attribute_real;
347     'ldap/project_desc_attribute':               value => $project_desc_attribute_real;
348     'ldap/project_name_attribute':               value => $project_name_attribute_real;
349     'ldap/project_enabled_attribute':            value => $project_enabled_attribute_real;
350     'ldap/project_attribute_ignore':             value => $project_attribute_ignore_real;
351     'ldap/project_domain_id_attribute':          value => $project_domain_id_attribute_real;
352     'ldap/project_allow_create':                 value => $project_allow_create_real;
353     'ldap/project_allow_update':                 value => $project_allow_update_real;
354     'ldap/project_allow_delete':                 value => $project_allow_delete_real;
355     'ldap/project_enabled_emulation':            value => $project_enabled_emulation_real;
356     'ldap/project_enabled_emulation_dn':         value => $project_enabled_emulation_dn_real;
357     'ldap/project_additional_attribute_mapping': value => $project_additional_attribute_mapping_real;
358     'ldap/role_tree_dn':                         value => $role_tree_dn;
359     'ldap/role_filter':                          value => $role_filter;
360     'ldap/role_objectclass':                     value => $role_objectclass;
361     'ldap/role_id_attribute':                    value => $role_id_attribute;
362     'ldap/role_name_attribute':                  value => $role_name_attribute;
363     'ldap/role_member_attribute':                value => $role_member_attribute;
364     'ldap/role_attribute_ignore':                value => $role_attribute_ignore;
365     'ldap/role_allow_create':                    value => $role_allow_create;
366     'ldap/role_allow_update':                    value => $role_allow_update;
367     'ldap/role_allow_delete':                    value => $role_allow_delete;
368     'ldap/role_additional_attribute_mapping':    value => $role_additional_attribute_mapping;
369     'ldap/group_tree_dn':                        value => $group_tree_dn;
370     'ldap/group_filter':                         value => $group_filter;
371     'ldap/group_objectclass':                    value => $group_objectclass;
372     'ldap/group_id_attribute':                   value => $group_id_attribute;
373     'ldap/group_name_attribute':                 value => $group_name_attribute;
374     'ldap/group_member_attribute':               value => $group_member_attribute;
375     'ldap/group_desc_attribute':                 value => $group_desc_attribute;
376     'ldap/group_attribute_ignore':               value => $group_attribute_ignore;
377     'ldap/group_allow_create':                   value => $group_allow_create;
378     'ldap/group_allow_update':                   value => $group_allow_update;
379     'ldap/group_allow_delete':                   value => $group_allow_delete;
380     'ldap/group_additional_attribute_mapping':   value => $group_additional_attribute_mapping;
381     'ldap/use_tls':                              value => $use_tls;
382     'ldap/tls_cacertdir':                        value => $tls_cacertdir;
383     'ldap/tls_cacertfile':                       value => $tls_cacertfile;
384     'ldap/tls_req_cert':                         value => $tls_req_cert;
385     'ldap/use_pool':                             value => $use_pool;
386     'ldap/pool_size':                            value => $pool_size;
387     'ldap/pool_retry_max':                       value => $pool_retry_max;
388     'ldap/pool_retry_delay':                     value => $pool_retry_delay;
389     'ldap/pool_connection_timeout':              value => $pool_connection_timeout;
390     'ldap/pool_connection_lifetime':             value => $pool_connection_lifetime;
391     'ldap/use_auth_pool':                        value => $use_auth_pool;
392     'ldap/auth_pool_size':                       value => $auth_pool_size;
393     'ldap/auth_pool_connection_lifetime':        value => $auth_pool_connection_lifetime;
394     'identity/driver':                           value => $identity_driver;
395     'assignment/driver':                         value => $assignment_driver;
396   }
397 }
Unnamed repository; edit this file 'description' to name the repository.