OpenStack Keystone LDAP integration

required ldap configs not explicitly defined in config.yaml

Bug #1832765 reported by Alex H on 2019-06-13

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Keystone LDAP integration	Fix Released	Wishlist	Unassigned	OpenStack Keystone LDAP integration 21.01

Bug Description

The keystone-ldap charm should explicitly specify necessary ldap configuration values which are currently being set as part of ldap-config-flags. This creates a template for proper configuration which can then be enforced by the charm, and also increases charm usability in the case of a user that might be less experienced with ldap configuration.

Certain required configs, such as user_filter, user name attribute, user id attribute, group tree dn, group name attribute, group id attribute definitely need to be explicitly set in config.yaml, though other frequently used values should be included as well, with a suggested list below:

query_scope - default to 'sub'
user_tree_dn: default to 'ou=users,dc=example,dc=com'
user_filter: default to '(memberof=cn=openstack_group,ou=groups,dc=example,dc=com)'
user_name_attributes: default to uid
user_id_attribute: default to uidNumber
user_objectclass: default to posixAccount
group_tree_dn: default to 'ou=groups,dc=example,dc=com'
group_objectclass: default to 'posixGroup'
group_id_attributes: default to 'gidNumber'
user_enabled_emulation | user_enabled_emulation_dn | user_enabled_attribute | user_enabled_flags | user_enabled_attribute_reverse (spelling on some of these unknown) should be something the charm handles consciously.

The full list of ldap config values can be found at https://docs.openstack.org/keystone/pike/admin/identity-integrate-with-ldap.html

Tags:

Alex H (anonybodi) on 2019-06-13

summary:

- required ldap configs not explcitily defined in config.yaml
+ required ldap configs not expicitly defined in config.yaml

Alex H (anonybodi) on 2019-06-13

summary:

- required ldap configs not expicitly defined in config.yaml
+ required ldap configs not explicitly defined in config.yaml

Revision history for this message

Corey Bryant (corey.bryant) wrote on 2019-06-21:

Thanks Alex, this would be a nice addition to the charm.

Changed in charm-keystone-ldap:
status:	New → Triaged
importance:	Undecided → Wishlist

Revision history for this message

Hemanth Nakkina (hemanth-n) wrote on 2020-07-06:

In addition to the above mentioned configs, it is good to have LDAP connection timeout configurations to be explicitly defined.

- connection_timeout
- pool_connection_timeout (when ldap pools are used)

Janghoon-Paul Sim (janghoon) on 2020-08-13

tags:

added: sts

Hemanth Nakkina (hemanth-n) on 2020-08-27

Changed in charm-keystone-ldap:
assignee:	nobody → Hemanth Nakkina (hemanth-n)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-08-27: Fix proposed to charm-keystone-ldap (master)

Fix proposed to branch: master
Review: https://review.opendev.org/748364

Changed in charm-keystone-ldap:
status:	Triaged → In Progress

Edward Hope-Morley (hopem) on 2020-09-18

Changed in charm-keystone-ldap:
milestone:	none → 20.10

Revision history for this message

Hemanth Nakkina (hemanth-n) wrote on 2020-09-30:

Code submitted for review https://review.opendev.org/748364

The default values for the new configuration parameters are made in sync with the upstream keystone ldap config option default values.

David Ames (thedac) on 2020-11-03

Changed in charm-keystone-ldap:
milestone:	20.10 → 21.01

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-11-19: Fix merged to charm-keystone-ldap (master)

Reviewed: https://review.opendev.org/748364
Committed: https://opendev.org/openstack/charm-keystone-ldap/commit/65bb510b519f677ae03cc828100f545d476be667
Submitter: Zuul
Branch: master

commit 65bb510b519f677ae03cc828100f545d476be667
Author: Hemanth Nakkina <email address hidden>
Date: Thu Aug 27 12:20:22 2020 +0530

Explicitly define ldap configurations

    Add new options to keystone-ldap charm to explicitly specify
    necessary ldap configuration values. The default values for
    the new configuration parameters introduced in this patch are
    empty so the default upstream keystone ldap config options are
    used when undeclared.

    If the same LDAP config options are specified in
    ldap-config-flags and the respective charm config
    option, then the value from the charm config option
    will be used.

    Func-Test-Pr: https://github.com/openstack-charmers/zaza-openstack-tests/pull/458
    Change-Id: Ib269e74c7d313d9c6d09da29661dd279995dffe4
    Closes-Bug: #1832765

Changed in charm-keystone-ldap:
status:	In Progress → Fix Committed

Revision history for this message

Aurelien Lourot (aurelien-lourot) wrote on 2020-11-20:

This needs some small re-working, see discussions in:
https://review.opendev.org/#/c/763541/
https://github.com/openstack-charmers/zaza-openstack-tests/pull/458

Changed in charm-keystone-ldap:
status:	Fix Committed → In Progress
assignee:	Hemanth Nakkina (hemanth-n) → Aurelien Lourot (aurelien-lourot)

David Ames (thedac) on 2021-02-10

Changed in charm-keystone-ldap:
milestone:	21.01 → none

Aurelien Lourot (aurelien-lourot) on 2021-02-17

Changed in charm-keystone-ldap:
status:	In Progress → Fix Released
milestone:	none → 21.01
assignee:	Aurelien Lourot (aurelien-lourot) → nobody

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.