"Fossies" - the Fresh Open Source Software Archive

Member "keystone-18.0.0/keystone/cmd/doctor/ldap.py" (14 Oct 2020, 5586 Bytes) of package /linux/misc/openstack/keystone-18.0.0.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Python source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. For more information about "ldap.py" see the Fossies "Dox" file reference documentation and the latest Fossies "Diffs" side-by-side code changes report: 17.0.0_vs_18.0.0.

    1 # Licensed under the Apache License, Version 2.0 (the "License"); you may
    2 # not use this file except in compliance with the License. You may obtain
    3 # a copy of the License at
    4 #
    5 #      http://www.apache.org/licenses/LICENSE-2.0
    6 #
    7 # Unless required by applicable law or agreed to in writing, software
    8 # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
    9 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
   10 # License for the specific language governing permissions and limitations
   11 # under the License.
   12 
   13 import os
   14 import re
   15 
   16 import configparser
   17 
   18 import keystone.conf
   19 
   20 
   21 CONF = keystone.conf.CONF
   22 CONFIG_REGEX = r'^keystone\..*?\.conf$'
   23 
   24 
   25 def symptom_LDAP_user_enabled_emulation_dn_ignored():
   26     """`[ldap] user_enabled_emulation_dn` is being ignored.
   27 
   28     There is no reason to set this value unless `keystone.conf [ldap]
   29     user_enabled_emulation` is also enabled.
   30     """
   31     return (
   32         not CONF.ldap.user_enabled_emulation
   33         and CONF.ldap.user_enabled_emulation_dn is not None)
   34 
   35 
   36 def symptom_LDAP_user_enabled_emulation_use_group_config_ignored():
   37     """`[ldap] user_enabled_emulation_use_group_config` is being ignored.
   38 
   39     There is no reason to set this value unless `keystone.conf [ldap]
   40     user_enabled_emulation` is also enabled.
   41     """
   42     return (
   43         not CONF.ldap.user_enabled_emulation
   44         and CONF.ldap.user_enabled_emulation_use_group_config)
   45 
   46 
   47 def symptom_LDAP_group_members_are_ids_disabled():
   48     """`[ldap] group_members_are_ids` is not enabled.
   49 
   50     Because you've set `keystone.conf [ldap] group_objectclass = posixGroup`,
   51     we would have also expected you to enable set `keystone.conf [ldap]
   52     group_members_are_ids` because we suspect you're using Open Directory,
   53     which would contain user ID's in a `posixGroup` rather than LDAP DNs, as
   54     other object classes typically would.
   55     """
   56     return (
   57         CONF.ldap.group_objectclass == 'posixGroup'
   58         and not CONF.ldap.group_members_are_ids)
   59 
   60 
   61 def symptom_LDAP_file_based_domain_specific_configs():
   62     """Domain specific driver directory is invalid or contains invalid files.
   63 
   64     If `keystone.conf [identity] domain_specific_drivers_enabled` is set
   65     to `true`, then support is enabled for individual domains to have their
   66     own identity drivers. The configurations for these can either be stored
   67     in a config file or in the database. The case we handle in this symptom
   68     is when they are stored in config files, which is indicated by
   69     `keystone.conf [identity] domain_configurations_from_database`
   70     being set to `false`.
   71     """
   72     if (not CONF.identity.domain_specific_drivers_enabled or
   73             CONF.identity.domain_configurations_from_database):
   74         return False
   75 
   76     invalid_files = []
   77     filedir = CONF.identity.domain_config_dir
   78     if os.path.isdir(filedir):
   79         for filename in os.listdir(filedir):
   80             if not re.match(CONFIG_REGEX, filename):
   81                 invalid_files.append(filename)
   82         if invalid_files:
   83             invalid_str = ', '.join(invalid_files)
   84             print('Warning: The following non-config files were found: %s\n'
   85                   'If they are intended to be config files then rename them '
   86                   'to the form of `keystone.<domain_name>.conf`. '
   87                   'Otherwise, ignore this warning' % invalid_str)
   88             return True
   89     else:
   90         print('Could not find directory ', filedir)
   91         return True
   92 
   93     return False
   94 
   95 
   96 def symptom_LDAP_file_based_domain_specific_configs_formatted_correctly():
   97     """LDAP domain specific configuration files are not formatted correctly.
   98 
   99     If `keystone.conf [identity] domain_specific_drivers_enabled` is set
  100     to `true`, then support is enabled for individual domains to have their
  101     own identity drivers. The configurations for these can either be stored
  102     in a config file or in the database. The case we handle in this symptom
  103     is when they are stored in config files, which is indicated by
  104     `keystone.conf [identity] domain_configurations_from_database`
  105     being set to false. The config files located in the directory specified
  106     by `keystone.conf [identity] domain_config_dir` should be in the
  107     form of `keystone.<domain_name>.conf` and their contents should look
  108     something like this:
  109 
  110     [ldap]
  111     url = ldap://ldapservice.thecustomer.com
  112     query_scope = sub
  113 
  114     user_tree_dn = ou=Users,dc=openstack,dc=org
  115     user_objectclass = MyOrgPerson
  116     user_id_attribute = uid
  117     ...
  118     """
  119     filedir = CONF.identity.domain_config_dir
  120     # NOTE(gagehugo): If domain_specific_drivers_enabled = false or
  121     # the value set in domain_config_dir is nonexistent/invalid, then
  122     # there is no point in continuing with this check.
  123     # symptom_LDAP_file_based_domain_specific_config will catch and
  124     # report this issue.
  125     if (not CONF.identity.domain_specific_drivers_enabled or
  126             CONF.identity.domain_configurations_from_database or
  127             not os.path.isdir(filedir)):
  128         return False
  129 
  130     invalid_files = []
  131     for filename in os.listdir(filedir):
  132         if re.match(CONFIG_REGEX, filename):
  133             try:
  134                 parser = configparser.ConfigParser()
  135                 parser.read(os.path.join(filedir, filename))
  136             except configparser.Error:
  137                 invalid_files.append(filename)
  138 
  139     if invalid_files:
  140         invalid_str = ', '.join(invalid_files)
  141         print('Error: The following config files are formatted incorrectly: ',
  142               invalid_str)
  143         return True
  144 
  145     return False