aboutsummaryrefslogtreecommitdiffstats
path: root/manifests/profile/base/keystone.pp
diff options
context:
space:
mode:
Diffstat (limited to 'manifests/profile/base/keystone.pp')
-rw-r--r--manifests/profile/base/keystone.pp21
1 files changed, 20 insertions, 1 deletions
diff --git a/manifests/profile/base/keystone.pp b/manifests/profile/base/keystone.pp
index 9598d64..5909337 100644
--- a/manifests/profile/base/keystone.pp
+++ b/manifests/profile/base/keystone.pp
@@ -59,6 +59,15 @@
# heat admin user name
# Defaults to undef
#
+# [*ldap_backends_config*]
+# Configuration for keystone::ldap_backend. This takes a hash that will
+# create each backend specified.
+# Defaults to undef
+#
+# [*ldap_backend_enable*]
+# Enables creating per-domain LDAP backends for keystone.
+# Default to false
+#
# [*manage_db_purge*]
# (Optional) Whether keystone token flushing should be enabled
# Defaults to hiera('keystone_enable_db_purge', true)
@@ -126,6 +135,8 @@ class tripleo::profile::base::keystone (
$heat_admin_email = undef,
$heat_admin_password = undef,
$heat_admin_user = undef,
+ $ldap_backends_config = undef,
+ $ldap_backend_enable = false,
$manage_db_purge = hiera('keystone_enable_db_purge', true),
$public_endpoint_network = hiera('keystone_public_api_network', undef),
$oslomsg_rpc_proto = hiera('messaging_rpc_service_name', 'rabbit'),
@@ -207,6 +218,11 @@ class tripleo::profile::base::keystone (
ssl_key_admin => $tls_keyfile_admin,
}
include ::keystone::cors
+
+ if $ldap_backend_enable {
+ validate_hash($ldap_backends_config)
+ create_resources('::keystone::ldap_backend', $ldap_backends_config)
+ }
}
if $step >= 4 and $manage_db_purge {
@@ -246,7 +262,10 @@ class tripleo::profile::base::keystone (
if hiera('barbican_api_enabled', false) {
include ::barbican::keystone::auth
}
- if hiera('ceilometer_api_enabled', false) {
+ # ceilometer user is needed even when ceilometer api
+ # not running, so it can authenticate with keystone
+ # and dispatch data.
+ if hiera('ceilometer_auth_enabled', false) {
include ::ceilometer::keystone::auth
}
if hiera('ceph_rgw_enabled', false) {