lp:~rlane/nova/ldap-schema-modifications-1
- Get this branch:
- bzr branch lp:~rlane/nova/ldap-schema-modifications-1
Branch merges
- Devin Carlen (community): Approve
- Vish Ishaya (community): Approve
-
Diff: 576 lines (+107/-153)8 files modifiednova/auth/fakeldap.py (+3/-0)
nova/auth/ldapdriver.py (+92/-73)
nova/auth/nova_openldap.schema (+6/-40)
nova/auth/nova_sun.schema (+5/-8)
nova/auth/opendj.sh (+0/-1)
nova/auth/openssh-lpk_openldap.schema (+0/-19)
nova/auth/openssh-lpk_sun.schema (+0/-10)
nova/auth/slap.sh (+1/-2)
Related bugs
Related blueprints
Branch information
Recent revisions
- 393. By Ryan Lane <laner@controller>
-
Merge from trunk, and resolve conflict with nova/auth/
ldapdriver. py - 392. By Ryan Lane <laner@controller>
-
Adding back in openssh-lpk schema, as keys will likely be stored in LDAP again.
- 388. By Ryan Lane <laner@controller>
-
Adding support for choosing a schema version, so that users can more easily migrate from an old schema to the new schema.
- 387. By Ryan Lane <laner@controller>
-
Removing novaProject from the schema. This change may look odd at first; here's how it works:
Both roles are projects are groupOfNames. Previously, we were differentiating projects from project roles by using the novaProject objectclass on the project, and not on the roles. This change removes novaProject, and uses the owner attribute instead of the projectManager attribute. Only projects should have an owner. We can differentiate projects from project roles by checking for the existence of this attribute. To check for the existence of an attribute in LDAP, a wildcard search is used.
The fake LDAP driver did not support wildcard searches, so I put in "all or nothing" support for it. The wildcard search support doesn't work exactly like wildcard searches in LDAP, but will work for the case that's required.
- 385. By Ryan Lane <laner@controller>
-
* Removes unused schema
* Removes MUST uid from novaUser
* Changes isAdmin to isNovaAdmin
* Adds two new configuration options:
** ldap_user_id_attribute, with a default of uid
** ldap_user_name_attribute, with a default of cn
* ldapdriver.py has been modified to use these changesRationale:
Removing uid from novaUser:
Requiring uid makes the schema very posix specific. Other schemas don't use uid for identifiers at all. This
change makes the schema more interoperable.Changing isAdmin to isNovaAdmin:
This attribute is too generic. It doesn't describe what the user is an admin of, and in a pre-existing directory
is out of place. This change is to make the attribute more specific to the software.Adding config options for id and name:
This is another interoperability change. This change makes the driver more compatible with directories like AD,
where sAMAccountName is used instead of uid. Also, some directory admins prefer to use displayName rather than
CN for full names of users.
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on:
- lp:~hudson-openstack/nova/trunk