1 files changed, 27 insertions, 2 deletions

diff --git a/manifests/profile/base/keystone.pp b/manifests/profile/base/keystone.pp
index 9598d64..31f5c93 100644
--- a/manifests/profile/base/keystone.pp
+++ b/manifests/profile/base/keystone.pp
@@ -59,6 +59,15 @@
 #   heat admin user name
 #   Defaults to undef
 #
+# [*ldap_backends_config*]
+#   Configuration for keystone::ldap_backend. This takes a hash that will
+#   create each backend specified.
+#   Defaults to undef
+#
+# [*ldap_backend_enable*]
+#   Enables creating per-domain LDAP backends for keystone.
+#   Default to false
+#
 # [*manage_db_purge*]
 #   (Optional) Whether keystone token flushing should be enabled
 #   Defaults to hiera('keystone_enable_db_purge', true)
@@ -126,6 +135,8 @@ class tripleo::profile::base::keystone (
   $heat_admin_email              = undef,
   $heat_admin_password           = undef,
   $heat_admin_user               = undef,
+  $ldap_backends_config          = undef,
+  $ldap_backend_enable           = false,
   $manage_db_purge               = hiera('keystone_enable_db_purge', true),
   $public_endpoint_network       = hiera('keystone_public_api_network', undef),
   $oslomsg_rpc_proto             = hiera('messaging_rpc_service_name', 'rabbit'),
@@ -200,6 +211,7 @@ class tripleo::profile::base::keystone (
     }
 
     include ::keystone::config
+    include ::apache::mod::ssl
     class { '::keystone::wsgi::apache':
       ssl_cert       => $tls_certfile,
       ssl_key        => $tls_keyfile,
@@ -207,6 +219,13 @@ class tripleo::profile::base::keystone (
       ssl_key_admin  => $tls_keyfile_admin,
     }
     include ::keystone::cors
+
+    if $ldap_backend_enable {
+      validate_hash($ldap_backends_config)
+      create_resources('::keystone::ldap_backend', $ldap_backends_config, {
+        create_domain_entry => $manage_domain,
+      })
+    }
   }
 
   if $step >= 4 and $manage_db_purge {
@@ -246,7 +265,10 @@ class tripleo::profile::base::keystone (
     if hiera('barbican_api_enabled', false) {
       include ::barbican::keystone::auth
     }
-    if hiera('ceilometer_api_enabled', false) {
+    # ceilometer user is needed even when ceilometer api
+    # not running, so it can authenticate with keystone
+    # and dispatch data.
+    if hiera('ceilometer_auth_enabled', false) {
       include ::ceilometer::keystone::auth
     }
     if hiera('ceph_rgw_enabled', false) {
@@ -291,13 +313,16 @@ class tripleo::profile::base::keystone (
     if hiera('nova_placement_enabled', false) {
       include ::nova::keystone::auth_placement
     }
+    if hiera('octavia_api_enabled', false) {
+      include ::octavia::keystone::auth
+    }
     if hiera('panko_api_enabled', false) {
       include ::panko::keystone::auth
     }
     if hiera('sahara_api_enabled', false) {
       include ::sahara::keystone::auth
     }
-    if hiera('swift_proxy_enabled', false) {
+    if hiera('swift_proxy_enabled', false) or hiera('external_swift_proxy_enabled',false) {
       include ::swift::keystone::auth
     }
     if hiera('tacker_enabled', false) {