Merge "Improve keystone.conf [ldap] documentation"
This commit is contained in:
commit
ab98f85a20
|
@ -16,8 +16,8 @@ from keystone.conf import utils
|
||||||
|
|
||||||
|
|
||||||
_DEPRECATED_LDAP_WRITE = utils.fmt("""
|
_DEPRECATED_LDAP_WRITE = utils.fmt("""
|
||||||
Write support for Identity LDAP backends has been deprecated in the M release
|
Write support for the LDAP identity backend has been deprecated in the Mitaka
|
||||||
and will be removed in the O release.
|
release and will be removed in the Ocata release.
|
||||||
""")
|
""")
|
||||||
|
|
||||||
|
|
||||||
|
@ -33,36 +33,42 @@ connection.
|
||||||
user = cfg.StrOpt(
|
user = cfg.StrOpt(
|
||||||
'user',
|
'user',
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
User BindDN to query the LDAP server.
|
The user name of the administrator bind DN to use when querying the LDAP
|
||||||
|
server, if your LDAP server requires it.
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
password = cfg.StrOpt(
|
password = cfg.StrOpt(
|
||||||
'password',
|
'password',
|
||||||
secret=True,
|
secret=True,
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
Password for the BindDN to query the LDAP server.
|
The password of the administrator bind DN to use when querying the LDAP server,
|
||||||
|
if your LDAP server requires it.
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
suffix = cfg.StrOpt(
|
suffix = cfg.StrOpt(
|
||||||
'suffix',
|
'suffix',
|
||||||
default='cn=example,cn=com',
|
default='cn=example,cn=com',
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
LDAP server suffix
|
The default LDAP server suffix to use, if a DN is not defined via either
|
||||||
|
`[ldap] user_tree_dn` or `[ldap] group_tree_dn`.
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
use_dumb_member = cfg.BoolOpt(
|
use_dumb_member = cfg.BoolOpt(
|
||||||
'use_dumb_member',
|
'use_dumb_member',
|
||||||
default=False,
|
default=False,
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
If true, will add a dummy member to groups. This is required if the objectclass
|
If true, keystone will add a dummy member based on the `[ldap] dumb_member`
|
||||||
for groups requires the "member" attribute.
|
option when creating new groups. This is required if the object class for
|
||||||
"""))
|
groups requires the `member` attribute. This option is only used for write
|
||||||
|
operations.
|
||||||
|
"""))
|
||||||
|
|
||||||
dumb_member = cfg.StrOpt(
|
dumb_member = cfg.StrOpt(
|
||||||
'dumb_member',
|
'dumb_member',
|
||||||
default='cn=dumb,dc=nonexistent',
|
default='cn=dumb,dc=nonexistent',
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
DN of the "dummy member" to use when "use_dumb_member" is enabled.
|
DN of the "dummy member" to use when `[ldap] use_dumb_member` is enabled. This
|
||||||
|
option is only used for write operations.
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
allow_subtree_delete = cfg.BoolOpt(
|
allow_subtree_delete = cfg.BoolOpt(
|
||||||
|
@ -70,7 +76,8 @@ allow_subtree_delete = cfg.BoolOpt(
|
||||||
default=False,
|
default=False,
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
Delete subtrees using the subtree delete control. Only enable this option if
|
Delete subtrees using the subtree delete control. Only enable this option if
|
||||||
your LDAP server supports subtree deletion.
|
your LDAP server supports subtree deletion. This option is only used for write
|
||||||
|
operations.
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
query_scope = cfg.StrOpt(
|
query_scope = cfg.StrOpt(
|
||||||
|
@ -78,15 +85,22 @@ query_scope = cfg.StrOpt(
|
||||||
default='one',
|
default='one',
|
||||||
choices=['one', 'sub'],
|
choices=['one', 'sub'],
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
The LDAP scope for queries, "one" represents oneLevel/singleLevel and "sub"
|
The search scope which defines how deep to search within the search base. A
|
||||||
represents subtree/wholeSubtree options.
|
value of `one` (representing `oneLevel` or `singleLevel`) indicates a search of
|
||||||
|
objects immediately below to the base object, but does not include the base
|
||||||
|
object itself. A value of `sub` (representing `subtree` or `wholeSubtree`)
|
||||||
|
indicates a search of both the base object itself and the entire subtree below
|
||||||
|
it.
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
page_size = cfg.IntOpt(
|
page_size = cfg.IntOpt(
|
||||||
'page_size',
|
'page_size',
|
||||||
default=0,
|
default=0,
|
||||||
|
min=0,
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
Maximum results per page; a value of zero ("0") disables paging.
|
Defines the maximum number of results per page that keystone should request
|
||||||
|
from the LDAP server when listing objects. A value of zero (`0`) disables
|
||||||
|
paging.
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
alias_dereferencing = cfg.StrOpt(
|
alias_dereferencing = cfg.StrOpt(
|
||||||
|
@ -94,12 +108,17 @@ alias_dereferencing = cfg.StrOpt(
|
||||||
default='default',
|
default='default',
|
||||||
choices=['never', 'searching', 'always', 'finding', 'default'],
|
choices=['never', 'searching', 'always', 'finding', 'default'],
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
The LDAP dereferencing option for queries. The "default" option falls back to
|
The LDAP dereferencing option to use for queries involving aliases. A value of
|
||||||
using default dereferencing configured by your ldap.conf.
|
`default` falls back to using default dereferencing behavior configured by your
|
||||||
|
`ldap.conf`. A value of `never` prevents aliases from being dereferenced at
|
||||||
|
all. A value of `searching` dereferences aliases only after name resolution. A
|
||||||
|
value of `finding` dereferences aliases only during name resolution. A value of
|
||||||
|
`always` dereferences aliases in all cases.
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
debug_level = cfg.IntOpt(
|
debug_level = cfg.IntOpt(
|
||||||
'debug_level',
|
'debug_level',
|
||||||
|
min=-1,
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
Sets the LDAP debugging level for LDAP calls. A value of 0 means that debugging
|
Sets the LDAP debugging level for LDAP calls. A value of 0 means that debugging
|
||||||
is not enabled. This value is a bitmask, consult your LDAP documentation for
|
is not enabled. This value is a bitmask, consult your LDAP documentation for
|
||||||
|
@ -109,114 +128,125 @@ possible values.
|
||||||
chase_referrals = cfg.BoolOpt(
|
chase_referrals = cfg.BoolOpt(
|
||||||
'chase_referrals',
|
'chase_referrals',
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
Override the system's default referral chasing behavior for queries.
|
Sets keystone's referral chasing behavior across directory partitions. If left
|
||||||
|
unset, the system's default behavior will be used.
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
user_tree_dn = cfg.StrOpt(
|
user_tree_dn = cfg.StrOpt(
|
||||||
'user_tree_dn',
|
'user_tree_dn',
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
Search base for users. Defaults to the suffix value.
|
The search base to use for users. Defaults to the `[ldap] suffix` value.
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
user_filter = cfg.StrOpt(
|
user_filter = cfg.StrOpt(
|
||||||
'user_filter',
|
'user_filter',
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
LDAP search filter for users.
|
The LDAP search filter to use for users.
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
user_objectclass = cfg.StrOpt(
|
user_objectclass = cfg.StrOpt(
|
||||||
'user_objectclass',
|
'user_objectclass',
|
||||||
default='inetOrgPerson',
|
default='inetOrgPerson',
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
LDAP objectclass for users.
|
The LDAP object class to use for users.
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
user_id_attribute = cfg.StrOpt(
|
user_id_attribute = cfg.StrOpt(
|
||||||
'user_id_attribute',
|
'user_id_attribute',
|
||||||
default='cn',
|
default='cn',
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
LDAP attribute mapped to user id. WARNING: must not be a multivalued
|
The LDAP attribute mapped to user IDs in keystone. This must NOT be a
|
||||||
attribute.
|
multivalued attribute. User IDs are expected to be globally unique across
|
||||||
|
keystone domains and URL-safe.
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
user_name_attribute = cfg.StrOpt(
|
user_name_attribute = cfg.StrOpt(
|
||||||
'user_name_attribute',
|
'user_name_attribute',
|
||||||
default='sn',
|
default='sn',
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
LDAP attribute mapped to user name.
|
The LDAP attribute mapped to user names in keystone. User names are expected to
|
||||||
|
be unique only within a keystone domain and are not expected to be URL-safe.
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
user_description_attribute = cfg.StrOpt(
|
user_description_attribute = cfg.StrOpt(
|
||||||
'user_description_attribute',
|
'user_description_attribute',
|
||||||
default='description',
|
default='description',
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
LDAP attribute mapped to user description.
|
The LDAP attribute mapped to user descriptions in keystone.
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
user_mail_attribute = cfg.StrOpt(
|
user_mail_attribute = cfg.StrOpt(
|
||||||
'user_mail_attribute',
|
'user_mail_attribute',
|
||||||
default='mail',
|
default='mail',
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
LDAP attribute mapped to user email.
|
The LDAP attribute mapped to user emails in keystone.
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
user_pass_attribute = cfg.StrOpt(
|
user_pass_attribute = cfg.StrOpt(
|
||||||
'user_pass_attribute',
|
'user_pass_attribute',
|
||||||
default='userPassword',
|
default='userPassword',
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
LDAP attribute mapped to password.
|
The LDAP attribute mapped to user passwords in keystone.
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
user_enabled_attribute = cfg.StrOpt(
|
user_enabled_attribute = cfg.StrOpt(
|
||||||
'user_enabled_attribute',
|
'user_enabled_attribute',
|
||||||
default='enabled',
|
default='enabled',
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
LDAP attribute mapped to user enabled flag.
|
The LDAP attribute mapped to the user enabled attribute in keystone. If setting
|
||||||
|
this option to `userAccountControl`, then you may be interested in setting
|
||||||
|
`[ldap] user_enabled_mask` and `[ldap] user_enabled_default` as well.
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
user_enabled_invert = cfg.BoolOpt(
|
user_enabled_invert = cfg.BoolOpt(
|
||||||
'user_enabled_invert',
|
'user_enabled_invert',
|
||||||
default=False,
|
default=False,
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
Invert the meaning of the boolean enabled values. Some LDAP servers use a
|
Logically negate the boolean value of the enabled attribute obtained from the
|
||||||
boolean lock attribute where "true" means an account is disabled. Setting
|
LDAP server. Some LDAP servers use a boolean lock attribute where "true" means
|
||||||
"user_enabled_invert = true" will allow these lock attributes to be used. This
|
an account is disabled. Setting `[ldap] user_enabled_invert = true` will allow
|
||||||
setting will have no effect if "user_enabled_mask" or "user_enabled_emulation"
|
these lock attributes to be used. This option will have no effect if either the
|
||||||
settings are in use.
|
`[ldap] user_enabled_mask` or `[ldap] user_enabled_emulation` options are in
|
||||||
|
use.
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
user_enabled_mask = cfg.IntOpt(
|
user_enabled_mask = cfg.IntOpt(
|
||||||
'user_enabled_mask',
|
'user_enabled_mask',
|
||||||
default=0,
|
default=0,
|
||||||
|
min=0,
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
Bitmask integer to indicate the bit that the enabled value is stored in if the
|
Bitmask integer to select which bit indicates the enabled value if the LDAP
|
||||||
LDAP server represents "enabled" as a bit on an integer rather than a boolean.
|
server represents "enabled" as a bit on an integer rather than as a discrete
|
||||||
A value of "0" indicates the mask is not used. If this is not set to "0" the
|
boolean. A value of `0` indicates that the mask is not used. If this is not set
|
||||||
typical value is "2". This is typically used when "user_enabled_attribute =
|
to `0` the typical value is `2`. This is typically used when `[ldap]
|
||||||
userAccountControl".
|
user_enabled_attribute = userAccountControl`. Setting this option causes
|
||||||
|
keystone to ignore the value of `[ldap] user_enabled_invert`.
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
user_enabled_default = cfg.StrOpt(
|
user_enabled_default = cfg.StrOpt(
|
||||||
'user_enabled_default',
|
'user_enabled_default',
|
||||||
default='True',
|
default='True',
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
Default value to enable users. This should match an appropriate int value if
|
The default value to enable users. This should match an appropriate integer
|
||||||
the LDAP server uses non-boolean (bitmask) values to indicate if a user is
|
value if the LDAP server uses non-boolean (bitmask) values to indicate if a
|
||||||
enabled or disabled. If this is not set to "True" the typical value is "512".
|
user is enabled or disabled. If this is not set to `True`, then the typical
|
||||||
This is typically used when "user_enabled_attribute = userAccountControl".
|
value is `512`. This is typically used when `[ldap] user_enabled_attribute =
|
||||||
|
userAccountControl`.
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
user_attribute_ignore = cfg.ListOpt(
|
user_attribute_ignore = cfg.ListOpt(
|
||||||
'user_attribute_ignore',
|
'user_attribute_ignore',
|
||||||
default=['default_project_id'],
|
default=['default_project_id'],
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
List of attributes stripped off the user on update.
|
List of user attributes to ignore on create and update. This is only used for
|
||||||
|
write operations.
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
user_default_project_id_attribute = cfg.StrOpt(
|
user_default_project_id_attribute = cfg.StrOpt(
|
||||||
'user_default_project_id_attribute',
|
'user_default_project_id_attribute',
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
LDAP attribute mapped to default_project_id for users.
|
The LDAP attribute mapped to a user's default_project_id in keystone. This is
|
||||||
|
most commonly used when keystone has write access to LDAP.
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
user_allow_create = cfg.BoolOpt(
|
user_allow_create = cfg.BoolOpt(
|
||||||
|
@ -225,7 +255,7 @@ user_allow_create = cfg.BoolOpt(
|
||||||
deprecated_for_removal=True,
|
deprecated_for_removal=True,
|
||||||
deprecated_reason=_DEPRECATED_LDAP_WRITE,
|
deprecated_reason=_DEPRECATED_LDAP_WRITE,
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
Allow user creation in LDAP backend.
|
If enabled, keystone is allowed to create users in the LDAP server.
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
user_allow_update = cfg.BoolOpt(
|
user_allow_update = cfg.BoolOpt(
|
||||||
|
@ -234,7 +264,7 @@ user_allow_update = cfg.BoolOpt(
|
||||||
deprecated_for_removal=True,
|
deprecated_for_removal=True,
|
||||||
deprecated_reason=_DEPRECATED_LDAP_WRITE,
|
deprecated_reason=_DEPRECATED_LDAP_WRITE,
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
Allow user updates in LDAP backend.
|
If enabled, keystone is allowed to update users in the LDAP server.
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
user_allow_delete = cfg.BoolOpt(
|
user_allow_delete = cfg.BoolOpt(
|
||||||
|
@ -243,94 +273,114 @@ user_allow_delete = cfg.BoolOpt(
|
||||||
deprecated_for_removal=True,
|
deprecated_for_removal=True,
|
||||||
deprecated_reason=_DEPRECATED_LDAP_WRITE,
|
deprecated_reason=_DEPRECATED_LDAP_WRITE,
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
Allow user deletion in LDAP backend.
|
If enabled, keystone is allowed to delete users in the LDAP server.
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
user_enabled_emulation = cfg.BoolOpt(
|
user_enabled_emulation = cfg.BoolOpt(
|
||||||
'user_enabled_emulation',
|
'user_enabled_emulation',
|
||||||
default=False,
|
default=False,
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
If true, Keystone uses an alternative method to determine if a user is enabled
|
If enabled, keystone uses an alternative method to determine if a user is
|
||||||
or not by checking if they are a member of the "user_enabled_emulation_dn"
|
enabled or not by checking if they are a member of the group defined by the
|
||||||
group.
|
`[ldap] user_enabled_emulation_dn` option. Enabling this option causes keystone
|
||||||
|
to ignore the value of `[ldap] user_enabled_invert`.
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
user_enabled_emulation_dn = cfg.StrOpt(
|
user_enabled_emulation_dn = cfg.StrOpt(
|
||||||
'user_enabled_emulation_dn',
|
'user_enabled_emulation_dn',
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
DN of the group entry to hold enabled users when using enabled emulation.
|
DN of the group entry to hold enabled users when using enabled emulation.
|
||||||
|
Setting this option has no effect unless `[ldap] user_enabled_emulation` is
|
||||||
|
also enabled.
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
user_enabled_emulation_use_group_config = cfg.BoolOpt(
|
user_enabled_emulation_use_group_config = cfg.BoolOpt(
|
||||||
'user_enabled_emulation_use_group_config',
|
'user_enabled_emulation_use_group_config',
|
||||||
default=False,
|
default=False,
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
Use the "group_member_attribute" and "group_objectclass" settings to determine
|
Use the `[ldap] group_member_attribute` and `[ldap] group_objectclass` settings
|
||||||
membership in the emulated enabled group.
|
to determine membership in the emulated enabled group. Enabling this option has
|
||||||
|
no effect unless `[ldap] user_enabled_emulation` is also enabled.
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
user_additional_attribute_mapping = cfg.ListOpt(
|
user_additional_attribute_mapping = cfg.ListOpt(
|
||||||
'user_additional_attribute_mapping',
|
'user_additional_attribute_mapping',
|
||||||
default=[],
|
default=[],
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
List of additional LDAP attributes used for mapping additional attribute
|
A list of LDAP attribute to keystone user attribute pairs used for mapping
|
||||||
mappings for users. Attribute mapping format is <ldap_attr>:<user_attr>, where
|
additional attributes to users in keystone. The expected format is
|
||||||
ldap_attr is the attribute in the LDAP entry and user_attr is the Identity API
|
`<ldap_attr>:<user_attr>`, where `ldap_attr` is the attribute in the LDAP
|
||||||
attribute.
|
object and `user_attr` is the attribute which should appear in the identity
|
||||||
|
API.
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
group_tree_dn = cfg.StrOpt(
|
group_tree_dn = cfg.StrOpt(
|
||||||
'group_tree_dn',
|
'group_tree_dn',
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
Search base for groups. Defaults to the suffix value.
|
The search base to use for groups. Defaults to the `[ldap] suffix` value.
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
group_filter = cfg.StrOpt(
|
group_filter = cfg.StrOpt(
|
||||||
'group_filter',
|
'group_filter',
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
LDAP search filter for groups.
|
The LDAP search filter to use for groups.
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
group_objectclass = cfg.StrOpt(
|
group_objectclass = cfg.StrOpt(
|
||||||
'group_objectclass',
|
'group_objectclass',
|
||||||
default='groupOfNames',
|
default='groupOfNames',
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
LDAP objectclass for groups.
|
The LDAP object class to use for groups. If setting this option to
|
||||||
|
`posixGroup`, you may also be interested in enabling the `[ldap]
|
||||||
|
group_members_are_ids` option.
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
group_id_attribute = cfg.StrOpt(
|
group_id_attribute = cfg.StrOpt(
|
||||||
'group_id_attribute',
|
'group_id_attribute',
|
||||||
default='cn',
|
default='cn',
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
LDAP attribute mapped to group id.
|
The LDAP attribute mapped to group IDs in keystone. This must NOT be a
|
||||||
|
multivalued attribute. Group IDs are expected to be globally unique across
|
||||||
|
keystone domains and URL-safe.
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
group_name_attribute = cfg.StrOpt(
|
group_name_attribute = cfg.StrOpt(
|
||||||
'group_name_attribute',
|
'group_name_attribute',
|
||||||
default='ou',
|
default='ou',
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
LDAP attribute mapped to group name.
|
The LDAP attribute mapped to group names in keystone. Group names are expected
|
||||||
|
to be unique only within a keystone domain and are not expected to be URL-safe.
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
group_member_attribute = cfg.StrOpt(
|
group_member_attribute = cfg.StrOpt(
|
||||||
'group_member_attribute',
|
'group_member_attribute',
|
||||||
default='member',
|
default='member',
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
LDAP attribute mapped to show group membership.
|
The LDAP attribute used to indicate that a user is a member of the group.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
group_members_are_ids = cfg.BoolOpt(
|
||||||
|
'group_members_are_ids',
|
||||||
|
default=False,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Enable this option if the members of the group object class are keystone user
|
||||||
|
IDs rather than LDAP DNs. This is the case when using `posixGroup` as the group
|
||||||
|
object class in Open Directory.
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
group_desc_attribute = cfg.StrOpt(
|
group_desc_attribute = cfg.StrOpt(
|
||||||
'group_desc_attribute',
|
'group_desc_attribute',
|
||||||
default='description',
|
default='description',
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
LDAP attribute mapped to group description.
|
The LDAP attribute mapped to group descriptions in keystone.
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
group_attribute_ignore = cfg.ListOpt(
|
group_attribute_ignore = cfg.ListOpt(
|
||||||
'group_attribute_ignore',
|
'group_attribute_ignore',
|
||||||
default=[],
|
default=[],
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
List of attributes stripped off the group on update.
|
List of group attributes to ignore on create and update. This is only used for
|
||||||
|
write operations.
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
group_allow_create = cfg.BoolOpt(
|
group_allow_create = cfg.BoolOpt(
|
||||||
|
@ -339,7 +389,7 @@ group_allow_create = cfg.BoolOpt(
|
||||||
deprecated_for_removal=True,
|
deprecated_for_removal=True,
|
||||||
deprecated_reason=_DEPRECATED_LDAP_WRITE,
|
deprecated_reason=_DEPRECATED_LDAP_WRITE,
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
Allow group creation in LDAP backend.
|
If enabled, keystone is allowed to create groups in the LDAP server.
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
group_allow_update = cfg.BoolOpt(
|
group_allow_update = cfg.BoolOpt(
|
||||||
|
@ -348,7 +398,7 @@ group_allow_update = cfg.BoolOpt(
|
||||||
deprecated_for_removal=True,
|
deprecated_for_removal=True,
|
||||||
deprecated_reason=_DEPRECATED_LDAP_WRITE,
|
deprecated_reason=_DEPRECATED_LDAP_WRITE,
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
Allow group update in LDAP backend.
|
If enabled, keystone is allowed to update groups in the LDAP server.
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
group_allow_delete = cfg.BoolOpt(
|
group_allow_delete = cfg.BoolOpt(
|
||||||
|
@ -357,36 +407,44 @@ group_allow_delete = cfg.BoolOpt(
|
||||||
deprecated_for_removal=True,
|
deprecated_for_removal=True,
|
||||||
deprecated_reason=_DEPRECATED_LDAP_WRITE,
|
deprecated_reason=_DEPRECATED_LDAP_WRITE,
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
Allow group deletion in LDAP backend.
|
If enabled, keystone is allowed to delete groups in the LDAP server.
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
group_additional_attribute_mapping = cfg.ListOpt(
|
group_additional_attribute_mapping = cfg.ListOpt(
|
||||||
'group_additional_attribute_mapping',
|
'group_additional_attribute_mapping',
|
||||||
default=[],
|
default=[],
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
Additional attribute mappings for groups. Attribute mapping format is
|
A list of LDAP attribute to keystone group attribute pairs used for mapping
|
||||||
<ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry and
|
additional attributes to groups in keystone. The expected format is
|
||||||
user_attr is the Identity API attribute.
|
`<ldap_attr>:<group_attr>`, where `ldap_attr` is the attribute in the LDAP
|
||||||
|
object and `group_attr` is the attribute which should appear in the identity
|
||||||
|
API.
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
|
|
||||||
tls_cacertfile = cfg.StrOpt(
|
tls_cacertfile = cfg.StrOpt(
|
||||||
'tls_cacertfile',
|
'tls_cacertfile',
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
CA certificate file path for communicating with LDAP servers.
|
An absolute path to a CA certificate file to use when communicating with LDAP
|
||||||
|
servers. This option will take precedence over `[ldap] tls_cacertdir`, so there
|
||||||
|
is no reason to set both.
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
tls_cacertdir = cfg.StrOpt(
|
tls_cacertdir = cfg.StrOpt(
|
||||||
'tls_cacertdir',
|
'tls_cacertdir',
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
CA certificate directory path for communicating with LDAP servers.
|
An absolute path to a CA certificate directory to use when communicating with
|
||||||
|
LDAP servers. There is no reason to set this option if you've also set `[ldap]
|
||||||
|
tls_cacertfile`.
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
use_tls = cfg.BoolOpt(
|
use_tls = cfg.BoolOpt(
|
||||||
'use_tls',
|
'use_tls',
|
||||||
default=False,
|
default=False,
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
Enable TLS for communicating with LDAP servers.
|
Enable TLS when communicating with LDAP servers. You should also set the
|
||||||
|
`[ldap] tls_cacertfile` and `[ldap] tls_cacertdir` options when using this
|
||||||
|
option. Do not set this option if you are using LDAP over SSL (LDAPS) instead
|
||||||
|
of TLS.
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
tls_req_cert = cfg.StrOpt(
|
tls_req_cert = cfg.StrOpt(
|
||||||
|
@ -394,82 +452,95 @@ tls_req_cert = cfg.StrOpt(
|
||||||
default='demand',
|
default='demand',
|
||||||
choices=['demand', 'never', 'allow'],
|
choices=['demand', 'never', 'allow'],
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
Specifies what checks to perform on client certificates in an incoming TLS
|
Specifies which checks to perform against client certificates on incoming TLS
|
||||||
session.
|
sessions. If set to `demand`, then a certificate will always be requested and
|
||||||
|
required from the LDAP server. If set to `allow`, then a certificate will
|
||||||
|
always be requested but not required from the LDAP server. If set to `never`,
|
||||||
|
then a certificate will never be requested.
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
use_pool = cfg.BoolOpt(
|
use_pool = cfg.BoolOpt(
|
||||||
'use_pool',
|
'use_pool',
|
||||||
default=True,
|
default=True,
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
Enable LDAP connection pooling.
|
Enable LDAP connection pooling for queries to the LDAP server. There is
|
||||||
|
typically no reason to disable this.
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
pool_size = cfg.IntOpt(
|
pool_size = cfg.IntOpt(
|
||||||
'pool_size',
|
'pool_size',
|
||||||
default=10,
|
default=10,
|
||||||
|
min=1,
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
Connection pool size.
|
The size of the LDAP connection pool. This option has no effect unless `[ldap]
|
||||||
|
use_pool` is also enabled.
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
pool_retry_max = cfg.IntOpt(
|
pool_retry_max = cfg.IntOpt(
|
||||||
'pool_retry_max',
|
'pool_retry_max',
|
||||||
default=3,
|
default=3,
|
||||||
|
min=0,
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
Maximum count of reconnect trials.
|
The maximum number of times to attempt reconnecting to the LDAP server before
|
||||||
|
aborting. A value of zero prevents retries. This option has no effect unless
|
||||||
|
`[ldap] use_pool` is also enabled.
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
pool_retry_delay = cfg.FloatOpt(
|
pool_retry_delay = cfg.FloatOpt(
|
||||||
'pool_retry_delay',
|
'pool_retry_delay',
|
||||||
default=0.1,
|
default=0.1,
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
Time span in seconds to wait between two reconnect trials.
|
The number of seconds to wait before attempting to reconnect to the LDAP
|
||||||
|
server. This option has no effect unless `[ldap] use_pool` is also enabled.
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
pool_connection_timeout = cfg.IntOpt(
|
pool_connection_timeout = cfg.IntOpt(
|
||||||
'pool_connection_timeout',
|
'pool_connection_timeout',
|
||||||
default=-1,
|
default=-1,
|
||||||
|
min=-1,
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
Connector timeout in seconds. Value -1 indicates indefinite wait for
|
The connection timeout to use with the LDAP server. A value of `-1` means that
|
||||||
response.
|
connections will never timeout. This option has no effect unless `[ldap]
|
||||||
|
use_pool` is also enabled.
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
pool_connection_lifetime = cfg.IntOpt(
|
pool_connection_lifetime = cfg.IntOpt(
|
||||||
'pool_connection_lifetime',
|
'pool_connection_lifetime',
|
||||||
default=600,
|
default=600,
|
||||||
|
min=1,
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
Connection lifetime in seconds.
|
The maximum connection lifetime to the LDAP server in seconds. When this
|
||||||
|
lifetime is exceeded, the connection will be unbound and removed from the
|
||||||
|
connection pool. This option has no effect unless `[ldap] use_pool` is also
|
||||||
|
enabled.
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
use_auth_pool = cfg.BoolOpt(
|
use_auth_pool = cfg.BoolOpt(
|
||||||
'use_auth_pool',
|
'use_auth_pool',
|
||||||
default=True,
|
default=True,
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
Enable LDAP connection pooling for end user authentication. If use_pool is
|
Enable LDAP connection pooling for end user authentication. There is typically
|
||||||
disabled, then this setting is meaningless and is not used at all.
|
no reason to disable this.
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
auth_pool_size = cfg.IntOpt(
|
auth_pool_size = cfg.IntOpt(
|
||||||
'auth_pool_size',
|
'auth_pool_size',
|
||||||
default=100,
|
default=100,
|
||||||
|
min=1,
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
End user auth connection pool size.
|
The size of the connection pool to use for end user authentication. This option
|
||||||
|
has no effect unless `[ldap] use_auth_pool` is also enabled.
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
auth_pool_connection_lifetime = cfg.IntOpt(
|
auth_pool_connection_lifetime = cfg.IntOpt(
|
||||||
'auth_pool_connection_lifetime',
|
'auth_pool_connection_lifetime',
|
||||||
default=60,
|
default=60,
|
||||||
|
min=1,
|
||||||
help=utils.fmt("""
|
help=utils.fmt("""
|
||||||
End user auth connection lifetime in seconds.
|
The maximum end user authentication connection lifetime to the LDAP server in
|
||||||
"""))
|
seconds. When this lifetime is exceeded, the connection will be unbound and
|
||||||
|
removed from the connection pool. This option has no effect unless `[ldap]
|
||||||
group_members_are_ids = cfg.BoolOpt(
|
use_auth_pool` is also enabled.
|
||||||
'group_members_are_ids',
|
|
||||||
default=False,
|
|
||||||
help=utils.fmt("""
|
|
||||||
If the members of the group objectclass are user IDs rather than DNs, set this
|
|
||||||
to true. This is the case when using posixGroup as the group objectclass and
|
|
||||||
OpenDirectory.
|
|
||||||
"""))
|
"""))
|
||||||
|
|
||||||
|
|
||||||
|
@ -514,6 +585,7 @@ ALL_OPTS = [
|
||||||
group_id_attribute,
|
group_id_attribute,
|
||||||
group_name_attribute,
|
group_name_attribute,
|
||||||
group_member_attribute,
|
group_member_attribute,
|
||||||
|
group_members_are_ids,
|
||||||
group_desc_attribute,
|
group_desc_attribute,
|
||||||
group_attribute_ignore,
|
group_attribute_ignore,
|
||||||
group_allow_create,
|
group_allow_create,
|
||||||
|
@ -533,7 +605,6 @@ ALL_OPTS = [
|
||||||
use_auth_pool,
|
use_auth_pool,
|
||||||
auth_pool_size,
|
auth_pool_size,
|
||||||
auth_pool_connection_lifetime,
|
auth_pool_connection_lifetime,
|
||||||
group_members_are_ids,
|
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue