Skip to content

Commit

Permalink
Add support for LDAP connection pools
Browse files Browse the repository at this point in the history 
LDAP connection pools allow for increased LDAP performance by
maintaining a connection pool. Documentation on configuation is
available here:

http://docs.openstack.org/developer/keystone/configuration.html

Change-Id: I6376e8ca5fffa7e04774fa1fa81709f7eaae3b4a
  • Loading branch information
@matthewfischer
matthewfischer committed Feb 16, 2015
1 parent d4237bb commit dadf822
Show file tree
Hide file tree
Showing 3 changed files with 56 additions and 2 deletions.
10 changes: 8 additions & 2 deletions examples/ldap_full.pp
View file
Expand Up @@ -28,7 +28,7 @@
user_allow_create => 'False',
user_allow_update => 'False',
user_allow_delete => 'False',
user_enabled_emulation => 'True',
user_enabled_emulation => 'True',
user_enabled_emulation_dn => 'cn=openstack-enabled,cn=groups,cn=accounts,dc=example,dc=com',
group_tree_dn => 'ou=groups,ou=openstack,dc=example,dc=com',
group_objectclass => 'organizationalRole',
Expand Down Expand Up @@ -56,11 +56,17 @@
role_name_attribute => 'cn',
role_member_attribute => 'roleOccupant',
role_allow_create => 'True',
role_allow_update => 'True',
role_allow_update => 'True',
role_allow_delete => 'True',
identity_driver => 'keystone.identity.backends.ldap.Identity',
assignment_driver => 'keystone.assignment.backends.ldap.Assignment',
use_tls => 'True',
tls_cacertfile => '/etc/ssl/certs/ca-certificates.crt',
tls_req_cert => 'demand',
use_pool => 'True',
use_auth_pool => 'True',
pool_size => 5,
auth_pool_size => 5,
pool_retry_max => 3,
pool_connection_timeout => 120,
}
18 changes: 18 additions & 0 deletions manifests/ldap.pp
View file
Expand Up @@ -99,6 +99,15 @@
$tls_req_cert = undef,
$identity_driver = undef,
$assignment_driver = undef,
$use_pool = false,
$pool_size = 10,
$pool_retry_max = 3,
$pool_retry_delay = 0.1,
$pool_connection_timeout = -1,
$pool_connection_lifetime = 600,
$use_auth_pool = false,
$auth_pool_size = 100,
$auth_pool_connection_lifetime = 60,
) {

# In Juno the term "tenant" was deprecated in the config in favor of "project"
Expand Down Expand Up @@ -373,6 +382,15 @@
'ldap/tls_cacertdir': value => $tls_cacertdir;
'ldap/tls_cacertfile': value => $tls_cacertfile;
'ldap/tls_req_cert': value => $tls_req_cert;
'ldap/use_pool': value => $use_pool;
'ldap/pool_size': value => $pool_size;
'ldap/pool_retry_max': value => $pool_retry_max;
'ldap/pool_retry_delay': value => $pool_retry_delay;
'ldap/pool_connection_timeout': value => $pool_connection_timeout;
'ldap/pool_connection_lifetime': value => $pool_connection_lifetime;
'ldap/use_auth_pool': value => $use_auth_pool;
'ldap/auth_pool_size': value => $auth_pool_size;
'ldap/auth_pool_connection_lifetime': value => $auth_pool_connection_lifetime;
'identity/driver': value => $identity_driver;
'assignment/driver': value => $assignment_driver;
}
Expand Down
30 changes: 30 additions & 0 deletions spec/classes/keystone_ldap_spec.rb
View file
Expand Up @@ -74,18 +74,29 @@
:tls_req_cert => 'demand',
:identity_driver => 'keystone.identity.backends.ldap.Identity',
:assignment_driver => 'keystone.assignment.backends.ldap.Assignment',
:use_pool => 'True',
:pool_size => 20,
:pool_retry_max => 2,
:pool_retry_delay => 0.2,
:pool_connection_timeout => 222,
:pool_connection_lifetime => 222,
:use_auth_pool => 'True',
:auth_pool_size => 20,
:auth_pool_connection_lifetime => 200,
}
end
it { should contain_package('python-ldap') }
it { should contain_package('python-ldappool') }
it 'should have basic params' do
# basic params
should contain_keystone_config('ldap/url').with_value('ldap://foo')
should contain_keystone_config('ldap/user').with_value('cn=foo,dc=example,dc=com')
should contain_keystone_config('ldap/password').with_value('abcdefg').with_secret(true)
should contain_keystone_config('ldap/suffix').with_value('dc=example,dc=com')
should contain_keystone_config('ldap/query_scope').with_value('sub')
should contain_keystone_config('ldap/page_size').with_value('50')

# users
should contain_keystone_config('ldap/user_tree_dn').with_value('cn=users,dc=example,dc=com')
should contain_keystone_config('ldap/user_filter').with_value('(memberOf=cn=openstack,cn=groups,cn=accounts,dc=example,dc=com)')
should contain_keystone_config('ldap/user_objectclass').with_value('inetUser')
Expand All @@ -107,6 +118,7 @@
should contain_keystone_config('ldap/user_enabled_emulation_dn').with_value('cn=openstack-enabled,cn=groups,cn=accounts,dc=example,dc=com')
should contain_keystone_config('ldap/user_additional_attribute_mapping').with_value('description:name, gecos:name')

# projects/tenants
should contain_keystone_config('ldap/project_tree_dn').with_value('ou=projects,ou=openstack,dc=example,dc=com')
should contain_keystone_config('ldap/project_filter').with_value('')
should contain_keystone_config('ldap/project_objectclass').with_value('organizationalUnit')
Expand All @@ -123,6 +135,8 @@
should contain_keystone_config('ldap/project_enabled_emulation').with_value('False')
should contain_keystone_config('ldap/project_enabled_emulation_dn').with_value('True')
should contain_keystone_config('ldap/project_additional_attribute_mapping').with_value('cn=enabled,ou=openstack,dc=example,dc=com')

# roles
should contain_keystone_config('ldap/role_tree_dn').with_value('ou=roles,ou=openstack,dc=example,dc=com')
should contain_keystone_config('ldap/role_filter').with_value('')
should contain_keystone_config('ldap/role_objectclass').with_value('organizationalRole')
Expand All @@ -135,6 +149,7 @@
should contain_keystone_config('ldap/role_allow_delete').with_value('True')
should contain_keystone_config('ldap/role_additional_attribute_mapping').with_value('')

# groups
should contain_keystone_config('ldap/group_tree_dn').with_value('ou=groups,ou=openstack,dc=example,dc=com')
should contain_keystone_config('ldap/group_filter').with_value('cn=enabled-groups,cn=groups,cn=accounts,dc=example,dc=com')
should contain_keystone_config('ldap/group_objectclass').with_value('organizationalRole')
Expand All @@ -147,10 +162,25 @@
should contain_keystone_config('ldap/group_allow_update').with_value('False')
should contain_keystone_config('ldap/group_allow_delete').with_value('False')
should contain_keystone_config('ldap/group_additional_attribute_mapping').with_value('')

# tls
should contain_keystone_config('ldap/use_tls').with_value('False')
should contain_keystone_config('ldap/tls_cacertdir').with_value('/etc/ssl/certs/')
should contain_keystone_config('ldap/tls_cacertfile').with_value('/etc/ssl/certs/ca-certificates.crt')
should contain_keystone_config('ldap/tls_req_cert').with_value('demand')

# ldap pooling
should contain_keystone_config('ldap/use_pool').with_value('True')
should contain_keystone_config('ldap/pool_size').with_value('20')
should contain_keystone_config('ldap/pool_retry_max').with_value('2')
should contain_keystone_config('ldap/pool_retry_delay').with_value('0.2')
should contain_keystone_config('ldap/pool_connection_timeout').with_value('222')
should contain_keystone_config('ldap/pool_connection_lifetime').with_value('222')
should contain_keystone_config('ldap/use_auth_pool').with_value('True')
should contain_keystone_config('ldap/auth_pool_size').with_value('20')
should contain_keystone_config('ldap/auth_pool_connection_lifetime').with_value('200')

# drivers
should contain_keystone_config('identity/driver').with_value('keystone.identity.backends.ldap.Identity')
should contain_keystone_config('assignment/driver').with_value('keystone.assignment.backends.ldap.Assignment')
end
Expand Down

0 comments on commit dadf822

Please sign in to comment.