diff --git a/doc/source/configuration.rst b/doc/source/configuration.rst index f765b767f4..917e865996 100644 --- a/doc/source/configuration.rst +++ b/doc/source/configuration.rst @@ -805,3 +805,16 @@ The corresponding entries in the Keystone configuration file are:: suffix = dc=openstack,dc=org user = dc=Manager,dc=openstack,dc=org password = badpassword + +The default object classes and attributes are intentionally simplistic. They +reflect the common standard objects according to the LDAP RFCs. However, +in a live deployment, the correct attributes can be overridden to support a +preexisting, more complex schema. For example, in the user object, the +objectClass posixAccount from RFC2307 is very common. If this is the +underlying objectclass, then the *uid* field should probably be *uidNumber* and +*username* field either *uid* or *cn*. To change these two fields, the +corresponding entries in the Keystone configuration file are:: + + [ldap] + user_id_attribute = uidNumber + user_name_attribute = cn diff --git a/etc/keystone.conf.sample b/etc/keystone.conf.sample index e98c22d125..3f37c713d1 100644 --- a/etc/keystone.conf.sample +++ b/etc/keystone.conf.sample @@ -109,11 +109,13 @@ # user_tree_dn = ou=Users,dc=example,dc=com # user_objectclass = inetOrgPerson # user_id_attribute = cn +# user_name_attribute = sn # tenant_tree_dn = ou=Groups,dc=example,dc=com # tenant_objectclass = groupOfNames # tenant_id_attribute = cn # tenant_member_attribute = member +# tenant_name_attribute = ou # role_tree_dn = ou=Roles,dc=example,dc=com # role_objectclass = organizationalRole diff --git a/keystone/config.py b/keystone/config.py index 8954d36ba0..33f1e3bab1 100644 --- a/keystone/config.py +++ b/keystone/config.py @@ -162,6 +162,8 @@ def register_cli_int(*args, **kw): register_str('password', group='ldap', default='freeipa4all') register_str('suffix', group='ldap', default='cn=example,cn=com') register_bool('use_dumb_member', group='ldap', default=False) +register_str('user_name_attribute', group='ldap', default='sn') + register_str('user_tree_dn', group='ldap', default=None) register_str('user_objectclass', group='ldap', default='inetOrgPerson') @@ -171,7 +173,7 @@ def register_cli_int(*args, **kw): register_str('tenant_objectclass', group='ldap', default='groupOfNames') register_str('tenant_id_attribute', group='ldap', default='cn') register_str('tenant_member_attribute', group='ldap', default='member') - +register_str('tenant_name_attribute', group='ldap', default='ou') register_str('role_tree_dn', group='ldap', default=None) register_str('role_objectclass', group='ldap', default='organizationalRole') diff --git a/keystone/identity/backends/ldap/core.py b/keystone/identity/backends/ldap/core.py index 166f7f586b..25aaebaea1 100644 --- a/keystone/identity/backends/ldap/core.py +++ b/keystone/identity/backends/ldap/core.py @@ -337,6 +337,7 @@ class UserApi(common_ldap.BaseLdap, ApiShimMixin): def __init__(self, conf): super(UserApi, self).__init__(conf) + self.attribute_mapping['name'] = conf.ldap.user_name_attribute self.api = ApiShim(conf) def get(self, id, filter=None): @@ -462,6 +463,7 @@ class TenantApi(common_ldap.BaseLdap, ApiShimMixin): def __init__(self, conf): super(TenantApi, self).__init__(conf) self.api = ApiShim(conf) + self.attribute_mapping['name'] = conf.ldap.tenant_name_attribute self.member_attribute = (getattr(conf.ldap, 'tenant_member_attribute') or self.DEFAULT_MEMBER_ATTRIBUTE)