Requesting an enhancement to include schema for Keystone LDAP Driver. Something like:
Schema entry:
objectClasses: ( openstack-oid NAME 'openstack' DESC * SUP top STRUCTURAL MUS T rhosUserEnabled X-ORIGIN 'user defined' ) attributeTypes: ( rhosUserEnabled-oid NAME 'rhosUserEnabled' DESC 'OpenStack U ser' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 X-ORIGIN 'user defined' )
With this schema, keystone can observe the openstack objectclass and rhosUserEnabled attribute via the following in keystone.conf:
"user_objectclass = openstack" "user_enabled_attribute = rhosUserEnabled"
The alternative is to use the emulation options provided by keystone, however this helps to ease the administrative overhead.
Example:
Admin user:
[root@rhos4 ~]# ldapsearch -xLLL -D cn='Directory Manager' -w redhat12 -b dc=example,dc=com uid=admin dn: uid=admin,ou=People,dc=example,dc=com uid: admin givenName: admin objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: openstack sn: user cn: admin userPassword:: e1NTSEF9bUhVbDVOTnA4bVJuYTdzUlJ1T1k3dWJQTURUTmk1RG13TzNTYkE9PQ= = mail: admin@example.com rhosUserEnabled: TRUE
Test user:
[root@rhos4 ~]# ldapsearch -xLLL -D cn='Directory Manager' -w redhat12 -b dc=example,dc=com uid=tuser1 dn: uid=tuser1,ou=People,dc=example,dc=com uid: tuser1 givenName: Test objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: openstack sn: User1 cn: Test User1 userPassword:: e1NTSEF9MS9EUVhnN0RJWHF1blBwSTRXUGQ3bjdIeHVERjdMRkk1NUI1b1E9PQ= = rhosUserEnabled: TRUE
User list from Keystone:
[root@rhos4 ~]# keystone user-list +--------+--------+---------+-------------------+ | id | name | enabled | email | +--------+--------+---------+-------------------+ | admin | admin | True | admin@example.com | | tuser1 | tuser1 | True | | +--------+--------+---------+-------------------+
Note that if "rhosUserEnabled" is set to "FALSE", the user will still show up in Keystone due to having the openstack objectclass, but will not be seen as enabled (enabled: False).
Looks like the nsAccountLock attr could be used, which is already included in the 389 schema.
Metadata Update from @chudson: - Issue set to the milestone: N/A
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/1025
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: Invalid)
Login to comment on this ticket.