1fc65c7b82
LDAP configurations can be quite complex. ldap-config-flags provides the mechanism to pass arbitrary configuration options to keystone to interact with LDAP. The original documentation only mentions a comma delimited string. However, the code can handle much more complicated real world requirements as long as they are in a string format it can consume. This change documents the specific string format for a complex real world example both in the README and in config.yaml. Change-Id: If95eae2a8560d9feeaff66fbe52cab6b2593f5cf Closes-bug: #1674841
39 lines
1.3 KiB
YAML
39 lines
1.3 KiB
YAML
options:
|
|
domain-name:
|
|
type: string
|
|
default:
|
|
description: Name of the keystone domain to configure; defaults to the deployed application name.
|
|
ldap-server:
|
|
type: string
|
|
default:
|
|
description: LDAP server address for keystone identity backend.
|
|
ldap-user:
|
|
type: string
|
|
default:
|
|
description: Username of the LDAP identity server.
|
|
ldap-password:
|
|
type: string
|
|
default:
|
|
description: Password of the LDAP identity server.
|
|
ldap-suffix:
|
|
type: string
|
|
default:
|
|
description: LDAP server suffix to be used by keystone.
|
|
ldap-config-flags:
|
|
type: string
|
|
default:
|
|
description: |
|
|
Additional LDAP configuration options.
|
|
For simple configurations use a comma separated string of key=value pairs.
|
|
"user_allow_create=False, user_allow_update=False, user_allow_delete=False"
|
|
For more complex configurations use a json like string with double quotes
|
|
and braces around all the options and single quotes around complex values.
|
|
"{user_tree_dn: 'DC=dc1,DC=ad,DC=example,DC=com',
|
|
user_allow_create: False,
|
|
user_allow_delete: False}"
|
|
See the README for more details.
|
|
ldap-readonly:
|
|
type: boolean
|
|
default: True
|
|
description: LDAP identity server backend readonly to keystone.
|