[root@satserver-rf cuy]# cat instala-ldap.sh #!/bin/bash -x# Check if did

1. [root@satserver-rf cuy]# cat instala-ldap.sh
2. #!/bin/bash -x
3.  
4. # Check if did we specify a tenant/project name.
5. RHOSP_DOMAIN=$1
6. if [ -z $1 ] ; then
7.    echo "Please specify a project name."
8.    exit 1
9. elif [ -e /etc/keystone/domains/keystone.$RHOSP_DOMAIN.conf ] ; then
10.    echo "You have already defined this tenant. Please use a different name."
11.    exit 1
12. fi
13.  
14. ##### BEGIN CONFIGURATION ######
15. # The name of the external Network (not the subnet, the Network).
16. EXTERNAL_NET_NAME=externa
17.  
18. # The LDAP server
19. LDAPSERVER=server01.ad.rf01.co
20.  
21. # The Domain Controller DN Suffix
22. DCSUFFIX=DC=ad,DC=rf01,DC=co
23.  
24. # The DN of the LDAP user that can make LDAP queries
25. LDAPUSER=CN=services,OU=Usuarios,OU=openstack
26.  
27. # The LDAPUSER password
28. LDAPPASSWORD=corinthians
29.  
30. # What is the AD group membership that makes a OpenStack user?
31. LDAPUSERFILTER=CN=openstack-all,OU=Grupos,OU=openstack
32.  
33. # Where to look for OpenStack groups?
34. LDAPGROUPTREE=OU=Grupos,OU=openstack
35.  
36. # What is the filter for the LDAP groups?
37. LDAPGROUPFILTER=CN=openstack*
38.  
39. # The LDAP group which is going to be admin of the Project
40. LDAPADMINGROUP=openstack-admin
41.  
42. # The LDAP group that are going to be _members_ of the project
43. LDAPUSERGROUP=openstack-prd
44. ##### END CONFIGURATION ######
45.  
46. # Fix setup one-timers
47. if ! grep "OS_IDENTITY_API_VERSION=3" ~/keystonerc_admin > /dev/null 2>&1 ; then
48.    echo "Configuring keystonerc"
49.    echo "export OS_IDENTITY_API_VERSION=3" >> ~/keystonerc_admin
50.    echo "export OS_PROJECT_DOMAIN_NAME=Default" >> ~/keystonerc_admin
51.    echo "export OS_USER_DOMAIN_NAME=Default" >> ~/keystonerc_admin
52.    sed -i 's/v2.0/v3/g' ~/keystonerc_admin
53.    echo "Configuring LDAP and Horizon"
54.    echo "OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True" >> /etc/openstack-dashboard/local_settings
55.    echo "REFERRALS off" >> /etc/openldap/ldap.conf
56.    # Configure Nova in Computes
57.    for i in `cat /root/computes.txt` ; do
58.       echo "Configuring nova in $i"
59.       ssh $i "crudini --set /etc/nova/nova.conf keystone_authtoken auth_version v3 && systemctl restart openstack-nova-compute.service"
60.    done
61. fi
62.  
63. # Prepare LDAP surrogate in Keystone, Cinder y No Va
64. echo "Configuring keystone.conf"
65. crudini --set /etc/keystone/keystone.conf identity domain_specific_drivers_enabled true
66. crudini --set /etc/keystone/keystone.conf identity domain_config_dir /etc/keystone/domains
67. crudini --set /etc/keystone/keystone.conf assignment driver sql
68. echo "Configuring No Va.conf"
69. crudini --set /etc/nova/nova.conf keystone_authtoken auth_version v3
70. echo "Configuring cinder.conf"
71. crudini --set /etc/cinder/cinder.conf keystone_authtoken auth_uri `grep OS_AUTH_URL ~/keystonerc_admin | awk -F \= '{print $2}'`
72. crudini --set /etc/cinder/cinder.conf keystone_authtoken auth_version v3
73.  
74. # Create the LDAP config for the domain
75. mkdir -p /etc/keystone/domains 2>/dev/null
76. echo "Creating the domain config file"
77. cat > /etc/keystone/domains/keystone.$RHOSP_DOMAIN.conf << EOF
78. [ldap]
79. url                      = ldap://$LDAPSERVER
80. user                     = $LDAPUSER,$DCSUFFIX
81. password                 = $LDAPPASSWORD
82. suffix                   = $DCSUFFIX
83. user_tree_dn             = $DCSUFFIX
84. query_scope              = sub
85. user_objectclass         = person
86. user_filter              = (memberOf=$LDAPUSERFILTER,$DCSUFFIX)
87. user_id_attribute        = sAMAccountName
88. user_name_attribute      = sAMAccountName
89. user_mail_attribute      = mail
90. user_pass_attribute      =
91. user_enabled_attribute   = userAccountControl
92. user_enabled_mask        = 2
93. user_enabled_default     = 512
94. user_attribute_ignore    = password,tenant_id,tenants
95. user_allow_create        = False
96. user_allow_update        = False
97. user_allow_delete        = False
98. group_objectclass        = group
99. group_tree_dn            = $LDAPGROUPTREE,$DCSUFFIX
100. group_filter             = ($LDAPGROUPFILTER)
101. group_id_attribute       = cn
102. group_name_attribute     = name
103. group_allow_create       = False
104. group_allow_update       = False
105. group_allow_delete       = False
106.  
107. [identity]
108. driver                   = keystone.identity.backends.ldap.Identity
109. EOF
110.  
111. # Restart services in order to load the new configs
112. echo "Restarting Keystone"
113. systemctl restart httpd
114. echo "Restarting Cinder"
115. openstack-service restart cinder
116. echo "Restarting No Va"
117. openstack-service restart nova
118.  
119. # And finally, create the project, the roles and a random private network.
120. source ~/keystonerc_admin
121. echo "Get admin tenant"
122. IDDOMAIN=`openstack domain create $RHOSP_DOMAIN | grep -m1 '| id ' | awk '{print $4}'`
123.  
124. echo "Creating project $RHOSP_DOMAIN"
125. IDPROJECT=`openstack project create $RHOSP_DOMAIN | grep -m1 '| id ' | awk '{print $4}'`
126.  
127. echo "Get default admin UUID"
128. IDUSERADMIN=`openstack user show --domain default admin | grep -m1 '| id ' | awk '{print $4}'`
129.  
130. echo "Get admin role UUID"
131. IDROLEADMIN=`openstack role show admin | grep -m1 '| id ' | awk '{print $4}'`
132.  
133. echo "Get _member_ UUID"
134. IDROLEUSER=`openstack role show _member_ | grep -m1 '| id ' | awk '{print $4}'`
135.  
136. echo "Get LDAP admin group UUID"
137. IDGRPADMIN=`openstack group show --domain $RHOSP_DOMAIN $LDAPADMINGROUP | grep -m1 '| id ' | awk '{print $4}'`
138.  
139. echo "Get LDAP _member_ group UUID"
140. IDGRPUSER=`openstack group show --domain $RHOSP_DOMAIN $LDAPUSERGROUP | grep -m1 '| id ' | awk '{print $4}'`
141.  
142. echo "Set admin user as admin in project"
143. openstack role add --domain $IDDOMAIN --user $IDUSERADMIN $IDROLEADMIN
144.  
145. echo "Set LDAP admin group as admin in project"
146. openstack role add --project $IDPROJECT --group $IDGRPADMIN $IDROLEADMIN
147.  
148. echo "Set LDAP user group as _member_ in project"
149. openstack role add --project $IDPROJECT --group $IDGRPUSER $IDROLEUSER
150.  
151. echo "Restart keystone"
152. systemctl restart httpd
153. #--- Configuring network
154. echo "Drawing a random internal network for the project"
155. INTERNAL_NET=10.`shuf -i 0-255 -n 1`.`shuf -i 0-255 -n 1`.0/24
156.  
157. echo "Creating internal Network"
158. ID_NETINTERNAL=`neutron net-create net-$RHOSP_DOMAIN --provider:network_type vxlan --tenant-id $IDPROJECT | grep -m1 '| id ' | awk '{print $4}'`
159.  
160. echo "Creating internal subnet"
161. ID_SUBNETINTERNAL=`neutron subnet-create --name subnet-$RHOSP_DOMAIN --tenant-id $IDPROJECT $ID_NETINTERNAL $INTERNAL_NET | grep -m1 '| id ' | awk '{print $4}'`
162.  
163. echo "Creating tenant router"
164. ID_ROUTER=`neutron router-create --tenant-id $IDPROJECT router-$RHOSP_DOMAIN | grep -m1 '| id ' | awk '{print $4}'`
165.  
166. echo "Get external network UUID"
167. ID_NETEXTERNAL=`neutron net-show -F id $EXTERNAL_NET_NAME | grep -m1 '| id ' | awk '{print $4}'`
168.  
169. echo "Adding internal subnet interface to the router"
170. neutron router-interface-add $ID_ROUTER $ID_SUBNETINTERNAL
171.  
172. echo "And finally add the external interface to the router"
173. neutron router-gateway-set $ID_ROUTER $ID_NETEXTERNAL