1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
|
class { 'keystone::db':
database_connection => 'mysql://keystone:keystone@127.0.0.1/keystone',
}
class { 'keystone':
debug => true,
enabled => true,
# helper for using domains
using_domain_config => true
}
# Ensure this matches what is in LDAP or keystone will try to recreate
# the admin user
class { 'keystone::bootstrap':
password => 'ChangeMe',
}
keystone_domain { 'domain_2': ensure => present }
keystone::ldap_backend { 'Default':
url => 'ldap://ldap.example.com:389',
user => 'uid=bind,cn=users,cn=accounts,dc=example,dc=com',
password => 'SecretPass',
suffix => 'dc=example,dc=com',
query_scope => 'sub',
user_tree_dn => 'cn=users,cn=accounts,dc=example,dc=com',
user_id_attribute => 'uid',
user_name_attribute => 'uid',
user_mail_attribute => 'mail',
user_enabled_emulation => 'True',
user_enabled_emulation_dn => 'cn=openstack-enabled,cn=groups,cn=accounts,dc=example,dc=com',
group_tree_dn => 'ou=groups,ou=openstack,dc=example,dc=com',
group_objectclass => 'organizationalRole',
group_id_attribute => 'cn',
group_name_attribute => 'cn',
group_member_attribute => 'RoleOccupant',
group_desc_attribute => 'description',
project_tree_dn => 'ou=projects,ou=openstack,dc=example,dc=com',
project_objectclass => 'organizationalUnit',
project_id_attribute => 'ou',
project_member_attribute => 'member',
project_name_attribute => 'ou',
project_desc_attribute => 'description',
project_allow_create => 'True',
project_allow_update => 'True',
project_allow_delete => 'True',
project_enabled_emulation => 'True',
project_enabled_emulation_dn => 'cn=enabled,ou=openstack,dc=example,dc=com',
role_tree_dn => 'ou=roles,ou=openstack,dc=example,dc=com',
role_objectclass => 'organizationalRole',
role_id_attribute => 'cn',
role_name_attribute => 'cn',
role_member_attribute => 'roleOccupant',
role_allow_create => 'True',
role_allow_update => 'True',
role_allow_delete => 'True',
identity_driver => 'ldap',
chase_referrals => 'False',
use_tls => 'True',
tls_cacertfile => '/etc/ssl/certs/ca-certificates.crt',
tls_req_cert => 'demand',
use_pool => 'True',
use_auth_pool => 'True',
pool_size => 5,
auth_pool_size => 5,
pool_retry_max => 3,
pool_connection_timeout => 120,
}
keystone::ldap_backend { 'domain_2':
url => 'ldap://ldap.example_2.com:389',
user => 'uid=bind,cn=users,cn=accounts,dc=example_2,dc=com',
password => 'SecretPass',
suffix => 'dc=example_2,dc=com',
query_scope => 'sub',
user_tree_dn => 'cn=users,cn=accounts,dc=example_2,dc=com',
user_id_attribute => 'uid',
user_name_attribute => 'uid',
user_mail_attribute => 'mail',
user_enabled_emulation => 'True',
user_enabled_emulation_dn => 'cn=openstack-enabled,cn=groups,cn=accounts,dc=example_2,dc=com',
group_tree_dn => 'ou=groups,ou=openstack,dc=example_2,dc=com',
group_objectclass => 'organizationalRole',
group_id_attribute => 'cn',
group_name_attribute => 'cn',
group_member_attribute => 'RoleOccupant',
group_desc_attribute => 'description',
project_tree_dn => 'ou=projects,ou=openstack,dc=example_2,dc=com',
project_objectclass => 'organizationalUnit',
project_id_attribute => 'ou',
project_member_attribute => 'member',
project_name_attribute => 'ou',
project_desc_attribute => 'description',
project_allow_create => 'True',
project_allow_update => 'True',
project_allow_delete => 'True',
project_enabled_emulation => 'True',
project_enabled_emulation_dn => 'cn=enabled,ou=openstack,dc=example_2,dc=com',
role_tree_dn => 'ou=roles,ou=openstack,dc=example_2,dc=com',
role_objectclass => 'organizationalRole',
role_id_attribute => 'cn',
role_name_attribute => 'cn',
role_member_attribute => 'roleOccupant',
role_allow_create => 'True',
role_allow_update => 'True',
role_allow_delete => 'True',
identity_driver => 'ldap',
chase_referrals => 'False',
use_tls => 'True',
tls_cacertfile => '/etc/ssl/certs/ca-certificates.crt',
tls_req_cert => 'demand',
use_pool => 'True',
use_auth_pool => 'True',
pool_size => 5,
auth_pool_size => 5,
pool_retry_max => 3,
pool_connection_timeout => 120,
}
|
