389-ds-base

Clone
Source Code
GIT

#47689 Add Schema to Provide Enabled Status for Keystone LDAP Driver
Closed: wontfix None Opened 10 years ago by chudson.

Closed: wontfix
Reopen Issue

Requesting an enhancement to include schema for Keystone LDAP Driver. Something like:

Schema entry:

objectClasses: ( openstack-oid NAME 'openstack' DESC * SUP top STRUCTURAL MUS
T rhosUserEnabled X-ORIGIN 'user defined' )
attributeTypes: ( rhosUserEnabled-oid NAME 'rhosUserEnabled' DESC 'OpenStack U
ser' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 X-ORIGIN 'user
defined' )

With this schema, keystone can observe the openstack objectclass and rhosUserEnabled attribute via the following in keystone.conf:

"user_objectclass = openstack"
"user_enabled_attribute = rhosUserEnabled"

The alternative is to use the emulation options provided by keystone, however this helps to ease the administrative overhead.

Example:

Admin user:

[root@rhos4 ~]# ldapsearch -xLLL -D cn='Directory Manager' -w redhat12 -b dc=example,dc=com uid=admin
dn: uid=admin,ou=People,dc=example,dc=com
uid: admin
givenName: admin
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: openstack
sn: user
cn: admin
userPassword:: e1NTSEF9bUhVbDVOTnA4bVJuYTdzUlJ1T1k3dWJQTURUTmk1RG13TzNTYkE9PQ=
=
mail: admin@example.com
rhosUserEnabled: TRUE

Test user:

[root@rhos4 ~]# ldapsearch -xLLL -D cn='Directory Manager' -w redhat12 -b dc=example,dc=com uid=tuser1
dn: uid=tuser1,ou=People,dc=example,dc=com
uid: tuser1
givenName: Test
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: openstack
sn: User1
cn: Test User1
userPassword:: e1NTSEF9MS9EUVhnN0RJWHF1blBwSTRXUGQ3bjdIeHVERjdMRkk1NUI1b1E9PQ=
=
rhosUserEnabled: TRUE

User list from Keystone:

[root@rhos4 ~]# keystone user-list
+--------+--------+---------+-------------------+
| id | name | enabled | email |
+--------+--------+---------+-------------------+
| admin | admin | True | admin@example.com |
| tuser1 | tuser1 | True | |
+--------+--------+---------+-------------------+

Note that if "rhosUserEnabled" is set to "FALSE", the user will still show up in Keystone due to having the openstack objectclass, but will not be seen as enabled (enabled: False).

Looks like the nsAccountLock attr could be used, which is already included in the 389 schema.

Metadata Update from @chudson:
- Issue set to the milestone: N/A
7 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/1025

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: Invalid)
3 years ago

Login to comment on this ticket.

Metadata
None
None
None
None
normal
no review needed
None
Community
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.