keystone.cmd.doctor.ldap module¶
- keystone.cmd.doctor.ldap.symptom_LDAP_file_based_domain_specific_configs()[source]¶
Domain specific driver directory is invalid or contains invalid files.
If keystone.conf [identity] domain_specific_drivers_enabled is set to true, then support is enabled for individual domains to have their own identity drivers. The configurations for these can either be stored in a config file or in the database. The case we handle in this symptom is when they are stored in config files, which is indicated by keystone.conf [identity] domain_configurations_from_database being set to false.
- keystone.cmd.doctor.ldap.symptom_LDAP_file_based_domain_specific_configs_formatted_correctly()[source]¶
LDAP domain specific configuration files are not formatted correctly.
If keystone.conf [identity] domain_specific_drivers_enabled is set to true, then support is enabled for individual domains to have their own identity drivers. The configurations for these can either be stored in a config file or in the database. The case we handle in this symptom is when they are stored in config files, which is indicated by keystone.conf [identity] domain_configurations_from_database being set to false. The config files located in the directory specified by keystone.conf [identity] domain_config_dir should be in the form of keystone.<domain_name>.conf and their contents should look something like this:
[ldap] url = ldap://ldapservice.thecustomer.com query_scope = sub
user_tree_dn = ou=Users,dc=openstack,dc=org user_objectclass = MyOrgPerson user_id_attribute = uid …
- keystone.cmd.doctor.ldap.symptom_LDAP_group_members_are_ids_disabled()[source]¶
[ldap] group_members_are_ids is not enabled.
Because you’ve set keystone.conf [ldap] group_objectclass = posixGroup, we would have also expected you to enable set keystone.conf [ldap] group_members_are_ids because we suspect you’re using Open Directory, which would contain user ID’s in a posixGroup rather than LDAP DNs, as other object classes typically would.
