OpenStack Identity (keystone)

LDAP backend

Bug #843098 reported by klmitch on 2011-07-18

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	High	Unassigned

Bug Description

So here comes the first implementation of LDAP backend. First 7 commits can be merged independently since they solve common problems and drawbacks.
Implementation has been tested over hardly modified nova's fakeldap. I will start real LDAP testing tomorrow (writing schema files right after the breakfast).

I implemented only user, tenant and role API modules since tokens in LDAP just make no sense, groups are going to be abandoned (I believe) and I'm not really sure about endpoints, but DB seemed to be a better place for them.
There are plenty of places where one API makes work of another one, so I hardcoded references to sqlalchemy backend in such places just before we clean backed API prototypes.

Backend passes all but 4 groups-related tests. To run them on your own, you have to add backend to config file:
backends = keystone.backends.ldap,keystone.backends.sqlalchemy,keystone.backends.alterdb

    [keystone.backends.ldap]
    ldap_url = fake://ldap.db
    ldap_user = cn=Admin
    ldap_password = password
And after you do so, you can run tests by hand (without sweet run_tests.py script):

python keystone/tests/unit/test_keystone.py

Don't forget to remove all databases (keystone.db, keystone.tokens.db, ldap.db) if you want totally clean test run.

Looking forward for comments and rocks to my window.

Revision history for this message

klmitch (q-noreply) wrote on 2011-07-18:

Do we have a testing strategy to handle multiple keystone configurations?

Revision history for this message

klmitch (q-noreply) wrote on 2011-07-18:

Depends on what you mean by multiple configurations.
At first, to proceed with unification of backend API, we need to clear it out.
I'll post all problems found during backend creating to openstack mailing list.

Revision history for this message

klmitch (q-noreply) wrote on 2011-07-19:

I had to go through some painful exercises to get python-ldap working on a Mac, so I added a blurb on that in readme.

I was also not able to get all tests working with all model objects in LDAP (or with only some of them). However, I was able to CRUD tenants and users in LDAP. So... great start!!

No rocks. Windows intact :-)

Revision history for this message

klmitch (q-noreply) wrote on 2011-07-20:

What tests exactly you could not pass?
I forgot to mention that one should remove UserRoleAssociation, Role, Tenant and User from backend_entities in sqlalchemy backend config.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.