X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;ds=sidebyside;f=3rdparty%2Fmodules%2Fkeystone%2Fmanifests%2Fldap.pp;h=05428e971bdb3b28272032d6094b75936d15c991;hb=87423ba664cd5f2bb462ebadd08b1a90d0fe1c8d;hp=96ec8cd0a7a58f1c453dc902325fb3cdf6ac84cf;hpb=4631045ebb77ee8622f6fa09277a50c372bcc02e;p=mirror%2Fdsa-puppet.git diff --git a/3rdparty/modules/keystone/manifests/ldap.pp b/3rdparty/modules/keystone/manifests/ldap.pp index 96ec8cd0a..05428e971 100644 --- a/3rdparty/modules/keystone/manifests/ldap.pp +++ b/3rdparty/modules/keystone/manifests/ldap.pp @@ -1,6 +1,380 @@ +# == class: keystone::ldap # # Implements ldap configuration for keystone. # +# === parameters: +# +# [*url*] +# URL for connecting to the LDAP server. (string value) +# Defaults to 'undef' +# +# [*user*] +# User BindDN to query the LDAP server. (string value) +# Defaults to 'undef' +# +# [*password*] +# Password for the BindDN to query the LDAP server. (string value) +# Defaults to 'undef' +# +# [*suffix*] +# LDAP server suffix (string value) +# Defaults to 'undef' +# +# [*query_scope*] +# The LDAP scope for queries, this can be either "one" +# (onelevel/singleLevel) or "sub" (subtree/wholeSubtree). (string value) +# Defaults to 'undef' +# +# [*page_size*] +# Maximum results per page; a value of zero ("0") disables paging. (integer value) +# Defaults to 'undef' +# +# [*user_tree_dn*] +# Search base for users. (string value) +# Defaults to 'undef' +# +# [*user_filter*] +# LDAP search filter for users. (string value) +# Defaults to 'undef' +# +# [*user_objectclass*] +# LDAP objectclass for users. (string value) +# Defaults to 'undef' +# +# [*user_id_attribute*] +# LDAP attribute mapped to user id. WARNING: must not be a multivalued attribute. (string value) +# Defaults to 'undef' +# +# [*user_name_attribute*] +# LDAP attribute mapped to user name. (string value) +# Defaults to 'undef' +# +# [*user_mail_attribute*] +# LDAP attribute mapped to user email. (string value) +# +# [*user_enabled_attribute*] +# LDAP attribute mapped to user enabled flag. (string value) +# Defaults to 'undef' +# +# [*user_enabled_mask*] +# Bitmask integer to indicate the bit that the enabled value is stored in if +# the LDAP server represents "enabled" as a bit on an integer rather than a +# boolean. A value of "0" indicates the mask is not used. If this is not set +# to "0" the typical value is "2". This is typically used when +# "user_enabled_attribute = userAccountControl". (integer value) +# Defaults to 'undef' +# +# [*user_enabled_default*] +# Default value to enable users. This should match an appropriate int value +# if the LDAP server uses non-boolean (bitmask) values to indicate if a user +# is enabled or disabled. If this is not set to "True" the typical value is +# "512". This is typically used when "user_enabled_attribute = +# userAccountControl". (string value) +# Defaults to 'undef' +# +# [*user_enabled_invert*] +# Invert the meaning of the boolean enabled values. Some LDAP servers use a +# boolean lock attribute where "true" means an account is disabled. Setting +# "user_enabled_invert = true" will allow these lock attributes to be used. +# This setting will have no effect if "user_enabled_mask" or +# "user_enabled_emulation" settings are in use. (boolean value) +# Defaults to 'undef' +# +# [*user_attribute_ignore*] +# List of attributes stripped off the user on update. (list value) +# Defaults to 'undef' +# +# [*user_default_project_id_attribute*] +# LDAP attribute mapped to default_project_id for users. (string value) +# Defaults to 'undef' +# +# [*user_allow_create*] +# Allow user creation in LDAP backend. (boolean value) +# Defaults to 'undef' +# +# [*user_allow_update*] +# Allow user updates in LDAP backend. (boolean value) +# Defaults to 'undef' +# +# [*user_allow_delete*] +# Allow user deletion in LDAP backend. (boolean value) +# Defaults to 'undef' +# +# [*user_pass_attribute*] +# LDAP attribute mapped to password. (string value) +# Defaults to 'undef' +# +# [*user_enabled_emulation*] +# If true, Keystone uses an alternative method to determine if +# a user is enabled or not by checking if they are a member of +# the "user_enabled_emulation_dn" group. (boolean value) +# Defaults to 'undef' +# +# [*user_enabled_emulation_dn*] +# DN of the group entry to hold enabled users when using enabled emulation. +# (string value) +# Defaults to 'undef' +# +# [*user_additional_attribute_mapping*] +# List of additional LDAP attributes used for mapping +# additional attribute mappings for users. Attribute mapping +# format is :, where ldap_attr is the +# attribute in the LDAP entry and user_attr is the Identity +# API attribute. (list value) +# Defaults to 'undef' +# +# [*project_tree_dn*] +# Search base for projects (string value) +# Defaults to 'undef' +# +# [*project_filter*] +# LDAP search filter for projects. (string value) +# Defaults to 'undef' +# +# [*project_objectclass*] +# LDAP objectclass for projects. (string value) +# Defaults to 'undef' +# +# [*project_id_attribute*] +# LDAP attribute mapped to project id. (string value) +# Defaults to 'undef' +# +# [*project_member_attribute*] +# LDAP attribute mapped to project membership for user. (string value) +# Defaults to 'undef' +# +# [*project_name_attribute*] +# LDAP attribute mapped to project name. (string value) +# Defaults to 'undef' +# +# [*project_desc_attribute*] +# LDAP attribute mapped to project description. (string value) +# Defaults to 'undef' +# +# [*project_enabled_attribute*] +# LDAP attribute mapped to project enabled. (string value) +# Defaults to 'undef' +# +# [*project_domain_id_attribute*] +# LDAP attribute mapped to project domain_id. (string value) +# Defaults to 'undef' +# +# [*project_attribute_ignore*] +# List of attributes stripped off the project on update. (list value) +# Defaults to 'undef' +# +# [*project_allow_create*] +# Allow project creation in LDAP backend. (boolean value) +# Defaults to 'undef' +# +# [*project_allow_update*] +# Allow project update in LDAP backend. (boolean value) +# Defaults to 'undef' +# +# [*project_allow_delete*] +# Allow project deletion in LDAP backend. (boolean value) +# Defaults to 'undef' +# +# [*project_enabled_emulation*] +# If true, Keystone uses an alternative method to determine if +# a project is enabled or not by checking if they are a member +# of the "project_enabled_emulation_dn" group. (boolean value) +# Defaults to 'undef' +# +# [*project_enabled_emulation_dn*] +# DN of the group entry to hold enabled projects when using +# enabled emulation. (string value) +# Defaults to 'undef' +# +# [*project_additional_attribute_mapping*] +# Additional attribute mappings for projects. Attribute +# mapping format is :, where ldap_attr +# is the attribute in the LDAP entry and user_attr is the +# Identity API attribute. (list value) +# Defaults to 'undef' +# +# [*role_tree_dn*] +# Search base for roles. (string value) +# Defaults to 'undef' +# +# [*role_filter*] +# LDAP search filter for roles. (string value) +# Defaults to 'undef' +# +# [*role_objectclass*] +# LDAP objectclass for roles. (string value) +# Defaults to 'undef' +# +# [*role_id_attribute*] +# LDAP attribute mapped to role id. (string value) +# Defaults to 'undef' +# +# [*role_name_attribute*] +# LDAP attribute mapped to role name. (string value) +# Defaults to 'undef' +# +# [*role_member_attribute*] +# LDAP attribute mapped to role membership. (string value) +# Defaults to 'undef' +# +# [*role_attribute_ignore*] +# List of attributes stripped off the role on update. (list value) +# Defaults to 'undef' +# +# [*role_allow_create*] +# Allow role creation in LDAP backend. (boolean value) +# Defaults to 'undef' +# +# [*role_allow_update*] +# Allow role update in LDAP backend. (boolean value) +# Defaults to 'undef' +# +# [*role_allow_delete*] +# Allow role deletion in LDAP backend. (boolean value) +# Defaults to 'undef' +# +# [*role_additional_attribute_mapping*] +# Additional attribute mappings for roles. Attribute mapping +# format is :, where ldap_attr is the +# attribute in the LDAP entry and user_attr is the Identity +# API attribute. (list value) +# Defaults to 'undef' +# +# [*group_tree_dn*] +# Search base for groups. (string value) +# Defaults to 'undef' +# +# [*group_filter*] +# LDAP search filter for groups. (string value) +# Defaults to 'undef' +# +# [*group_objectclass*] +# LDAP objectclass for groups. (string value) +# Defaults to 'undef' +# +# [*group_id_attribute*] +# LDAP attribute mapped to group id. (string value) +# Defaults to 'undef' +# +# [*group_name_attribute*] +# LDAP attribute mapped to group name. (string value) +# Defaults to 'undef' +# +# [*group_member_attribute*] +# LDAP attribute mapped to show group membership. (string value) +# Defaults to 'undef' +# +# [*group_desc_attribute*] +# LDAP attribute mapped to group description. (string value) +# Defaults to 'undef' +# +# [*group_attribute_ignore*] +# List of attributes stripped off the group on update. (list value) +# Defaults to 'undef' +# +# [*group_allow_create*] +# Allow group creation in LDAP backend. (boolean value) +# Defaults to 'undef' +# +# [*group_allow_update*] +# Allow group update in LDAP backend. (boolean value) +# Defaults to 'undef' +# +# [*group_allow_delete*] +# Allow group deletion in LDAP backend. (boolean value) +# Defaults to 'undef' +# +# [*group_additional_attribute_mapping*] +# Additional attribute mappings for groups. Attribute mapping +# format is :, where ldap_attr is the +# attribute in the LDAP entry and user_attr is the Identity +# API attribute. (list value) +# Defaults to 'undef' +# +# [*use_tls*] +# Enable TLS for communicating with LDAP servers. (boolean value) +# Defaults to 'undef' +# +# [*tls_cacertfile*] +# CA certificate file path for communicating with LDAP servers. (string value) +# Defaults to 'undef' +# +# [*tls_cacertdir*] +# CA certificate directory path for communicating with LDAP servers. (string value) +# Defaults to 'undef' +# +# [*tls_req_cert*] +# Valid options for tls_req_cert are demand, never, and allow. (string value) +# Defaults to 'undef' +# +# [*identity_driver*] +# Identity backend driver. (string value) +# Defaults to 'undef' +# +# [*credential_driver*] +# Credential backend driver. (string value) +# Defaults to 'undef' +# +# [*assignment_driver*] +# Assignment backend driver. (string value) +# Defaults to 'undef' +# +# [*use_pool*] +# Enable LDAP connection pooling. (boolean value) +# Defaults to false +# +# [*pool_size*] +# Connection pool size. (integer value) +# Defaults to '10' +# +# [*pool_retry_max*] +# Maximum count of reconnect trials. (integer value) +# Defaults to '3' +# +# [*pool_retry_delay*] +# Time span in seconds to wait between two reconnect trials. (floating point value) +# Defaults to '0.1' +# +# [*pool_connection_timeout*] +# Connector timeout in seconds. Value -1 indicates indefinite wait for response. (integer value) +# Defaults to '-1' +# +# [*pool_connection_lifetime*] +# Connection lifetime in seconds. (integer value) +# Defaults to '600' +# +# [*use_auth_pool*] +# Enable LDAP connection pooling for end user authentication. +# If use_pool is disabled, then this setting is meaningless and is not used at all. (boolean value) +# Defaults to false +# +# [*auth_pool_size*] +# End user auth connection pool size. (integer value) +# Defaults to '100' +# +# [*auth_pool_connection_lifetime*] +# End user auth connection lifetime in seconds. (integer value) +# Defaults to '60' +# +# === DEPRECATED group/name +# +# [*tenant_tree_dn*] +# [*tenant_filter*] +# [*tenant_objectclass*] +# [*tenant_id_attribute*] +# [*tenant_member_attribute*] +# [*tenant_name_attribute*] +# [*tenant_desc_attribute*] +# [*tenant_enabled_attribute*] +# [*tenant_domain_id_attribute*] +# [*tenant_attribute_ignore*] +# [*tenant_allow_create*] +# [*tenant_allow_update*] +# [*tenant_enabled_emulation*] +# [*tenant_enabled_emulation_dn*] +# [*tenant_additional_attribute_mapping*] +# [*tenant_allow_delete*] +# # == Dependencies # == Examples # == Authors @@ -99,6 +473,7 @@ class keystone::ldap( $tls_req_cert = undef, $identity_driver = undef, $assignment_driver = undef, + $credential_driver = undef, $use_pool = false, $pool_size = 10, $pool_retry_max = 3, @@ -307,6 +682,12 @@ class keystone::ldap( } } + if ($credential_driver != undef) { + if ! ($credential_driver =~ /^keystone.credential.backends.*Credential$/) { + fail('credential driver should be of the form \'keystone.credential.backends.*Credential\'') + } + } + if ($tls_cacertdir != undef) { file { $tls_cacertdir: ensure => directory @@ -392,6 +773,7 @@ class keystone::ldap( 'ldap/auth_pool_size': value => $auth_pool_size; 'ldap/auth_pool_connection_lifetime': value => $auth_pool_connection_lifetime; 'identity/driver': value => $identity_driver; + 'credential/driver': value => $credential_driver; 'assignment/driver': value => $assignment_driver; } }