lp:~rlane/nova/ldap-schema-modifications-1

Branch merges

Propose for merging

No branches dependent on this one.

Merged into lp:~hudson-openstack/nova/trunk at revision 489

Devin Carlen (community): Approve on 2010-12-22

Vish Ishaya (community): Approve on 2010-12-15

Diff: 576 lines (+107/-153)

8 files modified

nova/auth/fakeldap.py (+3/-0)
nova/auth/ldapdriver.py (+92/-73)
nova/auth/nova_openldap.schema (+6/-40)
nova/auth/nova_sun.schema (+5/-8)
nova/auth/opendj.sh (+0/-1)
nova/auth/openssh-lpk_openldap.schema (+0/-19)
nova/auth/openssh-lpk_sun.schema (+0/-10)
nova/auth/slap.sh (+1/-2)

api

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Bug #681030: Nova's LDAP schema has an unneeded requirement on the nis or bis schema

Medium

Fix Released

Link a bug report

Related blueprints

393. By Ryan Lane <laner@controller> on 2010-12-22

Merge from trunk, and resolve conflict with nova/auth/ldapdriver.py

392. By Ryan Lane <laner@controller> on 2010-12-15

Adding back in openssh-lpk schema, as keys will likely be stored in LDAP again.

391. By Ryan Lane <laner@controller> on 2010-12-10

Format fixes and modification of Vish's email address.

390. By Ryan Lane <laner@controller> on 2010-12-08

PEP8 fixes

389. By Ryan Lane <laner@controller> on 2010-12-08

Setting the default schema version to the new schema

388. By Ryan Lane <laner@controller> on 2010-12-08

Adding support for choosing a schema version, so that users can more easily migrate from an old schema to the new schema.

387. By Ryan Lane <laner@controller> on 2010-12-08

Removing novaProject from the schema. This change may look odd at first; here's how it works:

Both roles are projects are groupOfNames. Previously, we were differentiating projects from project roles by using the novaProject objectclass on the project, and not on the roles. This change removes novaProject, and uses the owner attribute instead of the projectManager attribute. Only projects should have an owner. We can differentiate projects from project roles by checking for the existence of this attribute. To check for the existence of an attribute in LDAP, a wildcard search is used.

The fake LDAP driver did not support wildcard searches, so I put in "all or nothing" support for it. The wildcard search support doesn't work exactly like wildcard searches in LDAP, but will work for the case that's required.

386. By Ryan Lane <laner@controller> on 2010-12-08

Merge from trunk

385. By Ryan Lane <laner@controller> on 2010-12-03

* Removes unused schema
* Removes MUST uid from novaUser
* Changes isAdmin to isNovaAdmin
* Adds two new configuration options:
** ldap_user_id_attribute, with a default of uid
** ldap_user_name_attribute, with a default of cn
* ldapdriver.py has been modified to use these changes

Rationale:

Removing uid from novaUser:

Requiring uid makes the schema very posix specific. Other schemas don't use uid for identifiers at all. This
change makes the schema more interoperable.

Changing isAdmin to isNovaAdmin:

This attribute is too generic. It doesn't describe what the user is an admin of, and in a pre-existing directory
is out of place. This change is to make the attribute more specific to the software.

Adding config options for id and name:

This is another interoperability change. This change makes the driver more compatible with directories like AD,
where sAMAccountName is used instead of uid. Also, some directory admins prefer to use displayName rather than
CN for full names of users.

384. By Ryan Lane <laner@controller> on 2010-11-30

Merge from trunk