required ldap configs not explicitly defined in config.yaml

Bug #1832765 reported by Alex H
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Keystone LDAP integration
Fix Released
Wishlist
Unassigned

Bug Description

The keystone-ldap charm should explicitly specify necessary ldap configuration values which are currently being set as part of ldap-config-flags. This creates a template for proper configuration which can then be enforced by the charm, and also increases charm usability in the case of a user that might be less experienced with ldap configuration.

Certain required configs, such as user_filter, user name attribute, user id attribute, group tree dn, group name attribute, group id attribute definitely need to be explicitly set in config.yaml, though other frequently used values should be included as well, with a suggested list below:

query_scope - default to 'sub'
user_tree_dn: default to 'ou=users,dc=example,dc=com'
user_filter: default to '(memberof=cn=openstack_group,ou=groups,dc=example,dc=com)'
user_name_attributes: default to uid
user_id_attribute: default to uidNumber
user_objectclass: default to posixAccount
group_tree_dn: default to 'ou=groups,dc=example,dc=com'
group_objectclass: default to 'posixGroup'
group_id_attributes: default to 'gidNumber'
user_enabled_emulation | user_enabled_emulation_dn | user_enabled_attribute | user_enabled_flags | user_enabled_attribute_reverse (spelling on some of these unknown) should be something the charm handles consciously.

The full list of ldap config values can be found at https://docs.openstack.org/keystone/pike/admin/identity-integrate-with-ldap.html

Tags: sts
Alex H (anonybodi)
summary: - required ldap configs not explcitily defined in config.yaml
+ required ldap configs not expicitly defined in config.yaml
Alex H (anonybodi)
summary: - required ldap configs not expicitly defined in config.yaml
+ required ldap configs not explicitly defined in config.yaml
Revision history for this message
Corey Bryant (corey.bryant) wrote :

Thanks Alex, this would be a nice addition to the charm.

Changed in charm-keystone-ldap:
status: New → Triaged
importance: Undecided → Wishlist
Revision history for this message
Hemanth Nakkina (hemanth-n) wrote :

In addition to the above mentioned configs, it is good to have LDAP connection timeout configurations to be explicitly defined.

- connection_timeout
- pool_connection_timeout (when ldap pools are used)

tags: added: sts
Changed in charm-keystone-ldap:
assignee: nobody → Hemanth Nakkina (hemanth-n)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-keystone-ldap (master)

Fix proposed to branch: master
Review: https://review.opendev.org/748364

Changed in charm-keystone-ldap:
status: Triaged → In Progress
Changed in charm-keystone-ldap:
milestone: none → 20.10
Revision history for this message
Hemanth Nakkina (hemanth-n) wrote :

Code submitted for review https://review.opendev.org/748364

The default values for the new configuration parameters are made in sync with the upstream keystone ldap config option default values.

David Ames (thedac)
Changed in charm-keystone-ldap:
milestone: 20.10 → 21.01
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-keystone-ldap (master)

Reviewed: https://review.opendev.org/748364
Committed: https://opendev.org/openstack/charm-keystone-ldap/commit/65bb510b519f677ae03cc828100f545d476be667
Submitter: Zuul
Branch: master

commit 65bb510b519f677ae03cc828100f545d476be667
Author: Hemanth Nakkina <email address hidden>
Date: Thu Aug 27 12:20:22 2020 +0530

    Explicitly define ldap configurations

    Add new options to keystone-ldap charm to explicitly specify
    necessary ldap configuration values. The default values for
    the new configuration parameters introduced in this patch are
    empty so the default upstream keystone ldap config options are
    used when undeclared.

    If the same LDAP config options are specified in
    ldap-config-flags and the respective charm config
    option, then the value from the charm config option
    will be used.

    Func-Test-Pr: https://github.com/openstack-charmers/zaza-openstack-tests/pull/458
    Change-Id: Ib269e74c7d313d9c6d09da29661dd279995dffe4
    Closes-Bug: #1832765

Changed in charm-keystone-ldap:
status: In Progress → Fix Committed
Revision history for this message
Aurelien Lourot (aurelien-lourot) wrote :
Changed in charm-keystone-ldap:
status: Fix Committed → In Progress
assignee: Hemanth Nakkina (hemanth-n) → Aurelien Lourot (aurelien-lourot)
David Ames (thedac)
Changed in charm-keystone-ldap:
milestone: 21.01 → none
Changed in charm-keystone-ldap:
status: In Progress → Fix Released
milestone: none → 21.01
assignee: Aurelien Lourot (aurelien-lourot) → nobody
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.