Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- [root@satserver-rf cuy]# cat instala-ldap.sh
- #!/bin/bash -x
- # Check if did we specify a tenant/project name.
- RHOSP_DOMAIN=$1
- if [ -z $1 ] ; then
- echo "Please specify a project name."
- exit 1
- elif [ -e /etc/keystone/domains/keystone.$RHOSP_DOMAIN.conf ] ; then
- echo "You have already defined this tenant. Please use a different name."
- exit 1
- fi
- ##### BEGIN CONFIGURATION ######
- # The name of the external Network (not the subnet, the Network).
- EXTERNAL_NET_NAME=externa
- # The LDAP server
- LDAPSERVER=server01.ad.rf01.co
- # The Domain Controller DN Suffix
- DCSUFFIX=DC=ad,DC=rf01,DC=co
- # The DN of the LDAP user that can make LDAP queries
- LDAPUSER=CN=services,OU=Usuarios,OU=openstack
- # The LDAPUSER password
- LDAPPASSWORD=corinthians
- # What is the AD group membership that makes a OpenStack user?
- LDAPUSERFILTER=CN=openstack-all,OU=Grupos,OU=openstack
- # Where to look for OpenStack groups?
- LDAPGROUPTREE=OU=Grupos,OU=openstack
- # What is the filter for the LDAP groups?
- LDAPGROUPFILTER=CN=openstack*
- # The LDAP group which is going to be admin of the Project
- LDAPADMINGROUP=openstack-admin
- # The LDAP group that are going to be _members_ of the project
- LDAPUSERGROUP=openstack-prd
- ##### END CONFIGURATION ######
- # Fix setup one-timers
- if ! grep "OS_IDENTITY_API_VERSION=3" ~/keystonerc_admin > /dev/null 2>&1 ; then
- echo "Configuring keystonerc"
- echo "export OS_IDENTITY_API_VERSION=3" >> ~/keystonerc_admin
- echo "export OS_PROJECT_DOMAIN_NAME=Default" >> ~/keystonerc_admin
- echo "export OS_USER_DOMAIN_NAME=Default" >> ~/keystonerc_admin
- sed -i 's/v2.0/v3/g' ~/keystonerc_admin
- echo "Configuring LDAP and Horizon"
- echo "OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True" >> /etc/openstack-dashboard/local_settings
- echo "REFERRALS off" >> /etc/openldap/ldap.conf
- # Configure Nova in Computes
- for i in `cat /root/computes.txt` ; do
- echo "Configuring nova in $i"
- ssh $i "crudini --set /etc/nova/nova.conf keystone_authtoken auth_version v3 && systemctl restart openstack-nova-compute.service"
- done
- fi
- # Prepare LDAP surrogate in Keystone, Cinder y No Va
- echo "Configuring keystone.conf"
- crudini --set /etc/keystone/keystone.conf identity domain_specific_drivers_enabled true
- crudini --set /etc/keystone/keystone.conf identity domain_config_dir /etc/keystone/domains
- crudini --set /etc/keystone/keystone.conf assignment driver sql
- echo "Configuring No Va.conf"
- crudini --set /etc/nova/nova.conf keystone_authtoken auth_version v3
- echo "Configuring cinder.conf"
- crudini --set /etc/cinder/cinder.conf keystone_authtoken auth_uri `grep OS_AUTH_URL ~/keystonerc_admin | awk -F \= '{print $2}'`
- crudini --set /etc/cinder/cinder.conf keystone_authtoken auth_version v3
- # Create the LDAP config for the domain
- mkdir -p /etc/keystone/domains 2>/dev/null
- echo "Creating the domain config file"
- cat > /etc/keystone/domains/keystone.$RHOSP_DOMAIN.conf << EOF
- [ldap]
- url = ldap://$LDAPSERVER
- user = $LDAPUSER,$DCSUFFIX
- password = $LDAPPASSWORD
- suffix = $DCSUFFIX
- user_tree_dn = $DCSUFFIX
- query_scope = sub
- user_objectclass = person
- user_filter = (memberOf=$LDAPUSERFILTER,$DCSUFFIX)
- user_id_attribute = sAMAccountName
- user_name_attribute = sAMAccountName
- user_mail_attribute = mail
- user_pass_attribute =
- user_enabled_attribute = userAccountControl
- user_enabled_mask = 2
- user_enabled_default = 512
- user_attribute_ignore = password,tenant_id,tenants
- user_allow_create = False
- user_allow_update = False
- user_allow_delete = False
- group_objectclass = group
- group_tree_dn = $LDAPGROUPTREE,$DCSUFFIX
- group_filter = ($LDAPGROUPFILTER)
- group_id_attribute = cn
- group_name_attribute = name
- group_allow_create = False
- group_allow_update = False
- group_allow_delete = False
- [identity]
- driver = keystone.identity.backends.ldap.Identity
- EOF
- # Restart services in order to load the new configs
- echo "Restarting Keystone"
- systemctl restart httpd
- echo "Restarting Cinder"
- openstack-service restart cinder
- echo "Restarting No Va"
- openstack-service restart nova
- # And finally, create the project, the roles and a random private network.
- source ~/keystonerc_admin
- echo "Get admin tenant"
- IDDOMAIN=`openstack domain create $RHOSP_DOMAIN | grep -m1 '| id ' | awk '{print $4}'`
- echo "Creating project $RHOSP_DOMAIN"
- IDPROJECT=`openstack project create $RHOSP_DOMAIN | grep -m1 '| id ' | awk '{print $4}'`
- echo "Get default admin UUID"
- IDUSERADMIN=`openstack user show --domain default admin | grep -m1 '| id ' | awk '{print $4}'`
- echo "Get admin role UUID"
- IDROLEADMIN=`openstack role show admin | grep -m1 '| id ' | awk '{print $4}'`
- echo "Get _member_ UUID"
- IDROLEUSER=`openstack role show _member_ | grep -m1 '| id ' | awk '{print $4}'`
- echo "Get LDAP admin group UUID"
- IDGRPADMIN=`openstack group show --domain $RHOSP_DOMAIN $LDAPADMINGROUP | grep -m1 '| id ' | awk '{print $4}'`
- echo "Get LDAP _member_ group UUID"
- IDGRPUSER=`openstack group show --domain $RHOSP_DOMAIN $LDAPUSERGROUP | grep -m1 '| id ' | awk '{print $4}'`
- echo "Set admin user as admin in project"
- openstack role add --domain $IDDOMAIN --user $IDUSERADMIN $IDROLEADMIN
- echo "Set LDAP admin group as admin in project"
- openstack role add --project $IDPROJECT --group $IDGRPADMIN $IDROLEADMIN
- echo "Set LDAP user group as _member_ in project"
- openstack role add --project $IDPROJECT --group $IDGRPUSER $IDROLEUSER
- echo "Restart keystone"
- systemctl restart httpd
- #--- Configuring network
- echo "Drawing a random internal network for the project"
- INTERNAL_NET=10.`shuf -i 0-255 -n 1`.`shuf -i 0-255 -n 1`.0/24
- echo "Creating internal Network"
- ID_NETINTERNAL=`neutron net-create net-$RHOSP_DOMAIN --provider:network_type vxlan --tenant-id $IDPROJECT | grep -m1 '| id ' | awk '{print $4}'`
- echo "Creating internal subnet"
- ID_SUBNETINTERNAL=`neutron subnet-create --name subnet-$RHOSP_DOMAIN --tenant-id $IDPROJECT $ID_NETINTERNAL $INTERNAL_NET | grep -m1 '| id ' | awk '{print $4}'`
- echo "Creating tenant router"
- ID_ROUTER=`neutron router-create --tenant-id $IDPROJECT router-$RHOSP_DOMAIN | grep -m1 '| id ' | awk '{print $4}'`
- echo "Get external network UUID"
- ID_NETEXTERNAL=`neutron net-show -F id $EXTERNAL_NET_NAME | grep -m1 '| id ' | awk '{print $4}'`
- echo "Adding internal subnet interface to the router"
- neutron router-interface-add $ID_ROUTER $ID_SUBNETINTERNAL
- echo "And finally add the external interface to the router"
- neutron router-gateway-set $ID_ROUTER $ID_NETEXTERNAL
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement