Allow overloading of username and tenant name in the config files.

Includes documentation and sample config file values.

Bug 997700

Patchset adds DocImpact flag for notifying doc team about these new
config file values.

Change-Id: Ibd3fade3f233a3b89a1c2feaa0a6b5a9569ad86c

doc/source/configuration.rst

@@ -805,3 +805,16 @@ The corresponding entries in the Keystone configuration file are::
   suffix = dc=openstack,dc=org
   user = dc=Manager,dc=openstack,dc=org
   password = badpassword
+
+The default object classes and attributes are intentionally simplistic.  They
+reflect the common standard objects according to the LDAP RFCs.  However,
+in a live deployment,  the correct attributes can be overridden to support a
+preexisting, more complex schema.  For example,  in the user object,  the
+objectClass posixAccount from RFC2307 is very common.  If this is the
+underlying objectclass, then the *uid* field should probably be *uidNumber* and
+*username* field either *uid* or *cn*.  To change these two fields,  the
+corresponding entries in the Keystone configuration file are::
+
+  [ldap]
+  user_id_attribute = uidNumber
+  user_name_attribute = cn

etc/keystone.conf.sample

@@ -109,11 +109,13 @@
 # user_tree_dn = ou=Users,dc=example,dc=com
 # user_objectclass = inetOrgPerson
 # user_id_attribute = cn
+# user_name_attribute = sn
 
 # tenant_tree_dn = ou=Groups,dc=example,dc=com
 # tenant_objectclass = groupOfNames
 # tenant_id_attribute = cn
 # tenant_member_attribute = member
+# tenant_name_attribute = ou
 
 # role_tree_dn = ou=Roles,dc=example,dc=com
 # role_objectclass = organizationalRole

keystone/config.py

@@ -162,6 +162,8 @@ def register_cli_int(*args, **kw):
 register_str('password', group='ldap', default='freeipa4all')
 register_str('suffix', group='ldap', default='cn=example,cn=com')
 register_bool('use_dumb_member', group='ldap', default=False)
+register_str('user_name_attribute', group='ldap', default='sn')
+
 
 register_str('user_tree_dn', group='ldap', default=None)
 register_str('user_objectclass', group='ldap', default='inetOrgPerson')
@@ -171,7 +173,7 @@ def register_cli_int(*args, **kw):
 register_str('tenant_objectclass', group='ldap', default='groupOfNames')
 register_str('tenant_id_attribute', group='ldap', default='cn')
 register_str('tenant_member_attribute', group='ldap', default='member')
-
+register_str('tenant_name_attribute', group='ldap', default='ou')
 
 register_str('role_tree_dn', group='ldap', default=None)
 register_str('role_objectclass', group='ldap', default='organizationalRole')

keystone/identity/backends/ldap/core.py

@@ -337,6 +337,7 @@ class UserApi(common_ldap.BaseLdap, ApiShimMixin):
 
     def __init__(self, conf):
         super(UserApi, self).__init__(conf)
+        self.attribute_mapping['name'] = conf.ldap.user_name_attribute
         self.api = ApiShim(conf)
 
     def get(self, id, filter=None):
@@ -462,6 +463,7 @@ class TenantApi(common_ldap.BaseLdap, ApiShimMixin):
     def __init__(self, conf):
         super(TenantApi, self).__init__(conf)
         self.api = ApiShim(conf)
+        self.attribute_mapping['name'] = conf.ldap.tenant_name_attribute
         self.member_attribute = (getattr(conf.ldap, 'tenant_member_attribute')
                                  or self.DEFAULT_MEMBER_ATTRIBUTE)