OpenStack Identity (Keystone)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

540 lines
16KB

  1. # Licensed under the Apache License, Version 2.0 (the "License"); you may
  2. # not use this file except in compliance with the License. You may obtain
  3. # a copy of the License at
  4. #
  5. # http://www.apache.org/licenses/LICENSE-2.0
  6. #
  7. # Unless required by applicable law or agreed to in writing, software
  8. # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
  9. # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
  10. # License for the specific language governing permissions and limitations
  11. # under the License.
  12. from oslo_config import cfg
  13. from keystone.conf import utils
  14. url = cfg.StrOpt(
  15. 'url',
  16. default='ldap://localhost',
  17. help=utils.fmt("""
  18. URL(s) for connecting to the LDAP server. Multiple LDAP URLs may be specified
  19. as a comma separated string. The first URL to successfully bind is used for the
  20. connection.
  21. """))
  22. user = cfg.StrOpt(
  23. 'user',
  24. help=utils.fmt("""
  25. The user name of the administrator bind DN to use when querying the LDAP
  26. server, if your LDAP server requires it.
  27. """))
  28. password = cfg.StrOpt(
  29. 'password',
  30. secret=True,
  31. help=utils.fmt("""
  32. The password of the administrator bind DN to use when querying the LDAP server,
  33. if your LDAP server requires it.
  34. """))
  35. suffix = cfg.StrOpt(
  36. 'suffix',
  37. default='cn=example,cn=com',
  38. help=utils.fmt("""
  39. The default LDAP server suffix to use, if a DN is not defined via either
  40. `[ldap] user_tree_dn` or `[ldap] group_tree_dn`.
  41. """))
  42. query_scope = cfg.StrOpt(
  43. 'query_scope',
  44. default='one',
  45. choices=['one', 'sub'],
  46. help=utils.fmt("""
  47. The search scope which defines how deep to search within the search base. A
  48. value of `one` (representing `oneLevel` or `singleLevel`) indicates a search of
  49. objects immediately below to the base object, but does not include the base
  50. object itself. A value of `sub` (representing `subtree` or `wholeSubtree`)
  51. indicates a search of both the base object itself and the entire subtree below
  52. it.
  53. """))
  54. page_size = cfg.IntOpt(
  55. 'page_size',
  56. default=0,
  57. min=0,
  58. help=utils.fmt("""
  59. Defines the maximum number of results per page that keystone should request
  60. from the LDAP server when listing objects. A value of zero (`0`) disables
  61. paging.
  62. """))
  63. alias_dereferencing = cfg.StrOpt(
  64. 'alias_dereferencing',
  65. default='default',
  66. choices=['never', 'searching', 'always', 'finding', 'default'],
  67. help=utils.fmt("""
  68. The LDAP dereferencing option to use for queries involving aliases. A value of
  69. `default` falls back to using default dereferencing behavior configured by your
  70. `ldap.conf`. A value of `never` prevents aliases from being dereferenced at
  71. all. A value of `searching` dereferences aliases only after name resolution. A
  72. value of `finding` dereferences aliases only during name resolution. A value of
  73. `always` dereferences aliases in all cases.
  74. """))
  75. debug_level = cfg.IntOpt(
  76. 'debug_level',
  77. min=-1,
  78. help=utils.fmt("""
  79. Sets the LDAP debugging level for LDAP calls. A value of 0 means that debugging
  80. is not enabled. This value is a bitmask, consult your LDAP documentation for
  81. possible values.
  82. """))
  83. chase_referrals = cfg.BoolOpt(
  84. 'chase_referrals',
  85. help=utils.fmt("""
  86. Sets keystone's referral chasing behavior across directory partitions. If left
  87. unset, the system's default behavior will be used.
  88. """))
  89. user_tree_dn = cfg.StrOpt(
  90. 'user_tree_dn',
  91. help=utils.fmt("""
  92. The search base to use for users. Defaults to the `[ldap] suffix` value.
  93. """))
  94. user_filter = cfg.StrOpt(
  95. 'user_filter',
  96. help=utils.fmt("""
  97. The LDAP search filter to use for users.
  98. """))
  99. user_objectclass = cfg.StrOpt(
  100. 'user_objectclass',
  101. default='inetOrgPerson',
  102. help=utils.fmt("""
  103. The LDAP object class to use for users.
  104. """))
  105. user_id_attribute = cfg.StrOpt(
  106. 'user_id_attribute',
  107. default='cn',
  108. help=utils.fmt("""
  109. The LDAP attribute mapped to user IDs in keystone. This must NOT be a
  110. multivalued attribute. User IDs are expected to be globally unique across
  111. keystone domains and URL-safe.
  112. """))
  113. user_name_attribute = cfg.StrOpt(
  114. 'user_name_attribute',
  115. default='sn',
  116. help=utils.fmt("""
  117. The LDAP attribute mapped to user names in keystone. User names are expected to
  118. be unique only within a keystone domain and are not expected to be URL-safe.
  119. """))
  120. user_description_attribute = cfg.StrOpt(
  121. 'user_description_attribute',
  122. default='description',
  123. help=utils.fmt("""
  124. The LDAP attribute mapped to user descriptions in keystone.
  125. """))
  126. user_mail_attribute = cfg.StrOpt(
  127. 'user_mail_attribute',
  128. default='mail',
  129. help=utils.fmt("""
  130. The LDAP attribute mapped to user emails in keystone.
  131. """))
  132. user_pass_attribute = cfg.StrOpt(
  133. 'user_pass_attribute',
  134. default='userPassword',
  135. help=utils.fmt("""
  136. The LDAP attribute mapped to user passwords in keystone.
  137. """))
  138. user_enabled_attribute = cfg.StrOpt(
  139. 'user_enabled_attribute',
  140. default='enabled',
  141. help=utils.fmt("""
  142. The LDAP attribute mapped to the user enabled attribute in keystone. If setting
  143. this option to `userAccountControl`, then you may be interested in setting
  144. `[ldap] user_enabled_mask` and `[ldap] user_enabled_default` as well.
  145. """))
  146. user_enabled_invert = cfg.BoolOpt(
  147. 'user_enabled_invert',
  148. default=False,
  149. help=utils.fmt("""
  150. Logically negate the boolean value of the enabled attribute obtained from the
  151. LDAP server. Some LDAP servers use a boolean lock attribute where "true" means
  152. an account is disabled. Setting `[ldap] user_enabled_invert = true` will allow
  153. these lock attributes to be used. This option will have no effect if either the
  154. `[ldap] user_enabled_mask` or `[ldap] user_enabled_emulation` options are in
  155. use.
  156. """))
  157. user_enabled_mask = cfg.IntOpt(
  158. 'user_enabled_mask',
  159. default=0,
  160. min=0,
  161. help=utils.fmt("""
  162. Bitmask integer to select which bit indicates the enabled value if the LDAP
  163. server represents "enabled" as a bit on an integer rather than as a discrete
  164. boolean. A value of `0` indicates that the mask is not used. If this is not set
  165. to `0` the typical value is `2`. This is typically used when `[ldap]
  166. user_enabled_attribute = userAccountControl`. Setting this option causes
  167. keystone to ignore the value of `[ldap] user_enabled_invert`.
  168. """))
  169. user_enabled_default = cfg.StrOpt(
  170. 'user_enabled_default',
  171. default='True',
  172. help=utils.fmt("""
  173. The default value to enable users. This should match an appropriate integer
  174. value if the LDAP server uses non-boolean (bitmask) values to indicate if a
  175. user is enabled or disabled. If this is not set to `True`, then the typical
  176. value is `512`. This is typically used when `[ldap] user_enabled_attribute =
  177. userAccountControl`.
  178. """))
  179. user_attribute_ignore = cfg.ListOpt(
  180. 'user_attribute_ignore',
  181. default=['default_project_id'],
  182. help=utils.fmt("""
  183. List of user attributes to ignore on create and update, or whether a specific
  184. user attribute should be filtered for list or show user.
  185. """))
  186. user_default_project_id_attribute = cfg.StrOpt(
  187. 'user_default_project_id_attribute',
  188. help=utils.fmt("""
  189. The LDAP attribute mapped to a user's default_project_id in keystone. This is
  190. most commonly used when keystone has write access to LDAP.
  191. """))
  192. user_enabled_emulation = cfg.BoolOpt(
  193. 'user_enabled_emulation',
  194. default=False,
  195. help=utils.fmt("""
  196. If enabled, keystone uses an alternative method to determine if a user is
  197. enabled or not by checking if they are a member of the group defined by the
  198. `[ldap] user_enabled_emulation_dn` option. Enabling this option causes keystone
  199. to ignore the value of `[ldap] user_enabled_invert`.
  200. """))
  201. user_enabled_emulation_dn = cfg.StrOpt(
  202. 'user_enabled_emulation_dn',
  203. help=utils.fmt("""
  204. DN of the group entry to hold enabled users when using enabled emulation.
  205. Setting this option has no effect unless `[ldap] user_enabled_emulation` is
  206. also enabled.
  207. """))
  208. user_enabled_emulation_use_group_config = cfg.BoolOpt(
  209. 'user_enabled_emulation_use_group_config',
  210. default=False,
  211. help=utils.fmt("""
  212. Use the `[ldap] group_member_attribute` and `[ldap] group_objectclass` settings
  213. to determine membership in the emulated enabled group. Enabling this option has
  214. no effect unless `[ldap] user_enabled_emulation` is also enabled.
  215. """))
  216. user_additional_attribute_mapping = cfg.ListOpt(
  217. 'user_additional_attribute_mapping',
  218. default=[],
  219. help=utils.fmt("""
  220. A list of LDAP attribute to keystone user attribute pairs used for mapping
  221. additional attributes to users in keystone. The expected format is
  222. `<ldap_attr>:<user_attr>`, where `ldap_attr` is the attribute in the LDAP
  223. object and `user_attr` is the attribute which should appear in the identity
  224. API.
  225. """))
  226. group_tree_dn = cfg.StrOpt(
  227. 'group_tree_dn',
  228. help=utils.fmt("""
  229. The search base to use for groups. Defaults to the `[ldap] suffix` value.
  230. """))
  231. group_filter = cfg.StrOpt(
  232. 'group_filter',
  233. help=utils.fmt("""
  234. The LDAP search filter to use for groups.
  235. """))
  236. group_objectclass = cfg.StrOpt(
  237. 'group_objectclass',
  238. default='groupOfNames',
  239. help=utils.fmt("""
  240. The LDAP object class to use for groups. If setting this option to
  241. `posixGroup`, you may also be interested in enabling the `[ldap]
  242. group_members_are_ids` option.
  243. """))
  244. group_id_attribute = cfg.StrOpt(
  245. 'group_id_attribute',
  246. default='cn',
  247. help=utils.fmt("""
  248. The LDAP attribute mapped to group IDs in keystone. This must NOT be a
  249. multivalued attribute. Group IDs are expected to be globally unique across
  250. keystone domains and URL-safe.
  251. """))
  252. group_name_attribute = cfg.StrOpt(
  253. 'group_name_attribute',
  254. default='ou',
  255. help=utils.fmt("""
  256. The LDAP attribute mapped to group names in keystone. Group names are expected
  257. to be unique only within a keystone domain and are not expected to be URL-safe.
  258. """))
  259. group_member_attribute = cfg.StrOpt(
  260. 'group_member_attribute',
  261. default='member',
  262. help=utils.fmt("""
  263. The LDAP attribute used to indicate that a user is a member of the group.
  264. """))
  265. group_members_are_ids = cfg.BoolOpt(
  266. 'group_members_are_ids',
  267. default=False,
  268. help=utils.fmt("""
  269. Enable this option if the members of the group object class are keystone user
  270. IDs rather than LDAP DNs. This is the case when using `posixGroup` as the group
  271. object class in Open Directory.
  272. """))
  273. group_desc_attribute = cfg.StrOpt(
  274. 'group_desc_attribute',
  275. default='description',
  276. help=utils.fmt("""
  277. The LDAP attribute mapped to group descriptions in keystone.
  278. """))
  279. group_attribute_ignore = cfg.ListOpt(
  280. 'group_attribute_ignore',
  281. default=[],
  282. help=utils.fmt("""
  283. List of group attributes to ignore on create and update. or whether a specific
  284. group attribute should be filtered for list or show group.
  285. """))
  286. group_additional_attribute_mapping = cfg.ListOpt(
  287. 'group_additional_attribute_mapping',
  288. default=[],
  289. help=utils.fmt("""
  290. A list of LDAP attribute to keystone group attribute pairs used for mapping
  291. additional attributes to groups in keystone. The expected format is
  292. `<ldap_attr>:<group_attr>`, where `ldap_attr` is the attribute in the LDAP
  293. object and `group_attr` is the attribute which should appear in the identity
  294. API.
  295. """))
  296. group_ad_nesting = cfg.BoolOpt(
  297. 'group_ad_nesting',
  298. default=False,
  299. help=utils.fmt("""
  300. If enabled, group queries will use Active Directory specific filters for
  301. nested groups.
  302. """))
  303. tls_cacertfile = cfg.StrOpt(
  304. 'tls_cacertfile',
  305. help=utils.fmt("""
  306. An absolute path to a CA certificate file to use when communicating with LDAP
  307. servers. This option will take precedence over `[ldap] tls_cacertdir`, so there
  308. is no reason to set both.
  309. """))
  310. tls_cacertdir = cfg.StrOpt(
  311. 'tls_cacertdir',
  312. help=utils.fmt("""
  313. An absolute path to a CA certificate directory to use when communicating with
  314. LDAP servers. There is no reason to set this option if you've also set `[ldap]
  315. tls_cacertfile`.
  316. """))
  317. use_tls = cfg.BoolOpt(
  318. 'use_tls',
  319. default=False,
  320. help=utils.fmt("""
  321. Enable TLS when communicating with LDAP servers. You should also set the
  322. `[ldap] tls_cacertfile` and `[ldap] tls_cacertdir` options when using this
  323. option. Do not set this option if you are using LDAP over SSL (LDAPS) instead
  324. of TLS.
  325. """))
  326. tls_req_cert = cfg.StrOpt(
  327. 'tls_req_cert',
  328. default='demand',
  329. choices=['demand', 'never', 'allow'],
  330. help=utils.fmt("""
  331. Specifies which checks to perform against client certificates on incoming TLS
  332. sessions. If set to `demand`, then a certificate will always be requested and
  333. required from the LDAP server. If set to `allow`, then a certificate will
  334. always be requested but not required from the LDAP server. If set to `never`,
  335. then a certificate will never be requested.
  336. """))
  337. connection_timeout = cfg.IntOpt(
  338. 'connection_timeout',
  339. default=-1,
  340. min=-1,
  341. help=utils.fmt("""
  342. The connection timeout to use with the LDAP server. A value of `-1` means that
  343. connections will never timeout.
  344. """))
  345. use_pool = cfg.BoolOpt(
  346. 'use_pool',
  347. default=True,
  348. help=utils.fmt("""
  349. Enable LDAP connection pooling for queries to the LDAP server. There is
  350. typically no reason to disable this.
  351. """))
  352. pool_size = cfg.IntOpt(
  353. 'pool_size',
  354. default=10,
  355. min=1,
  356. help=utils.fmt("""
  357. The size of the LDAP connection pool. This option has no effect unless `[ldap]
  358. use_pool` is also enabled.
  359. """))
  360. pool_retry_max = cfg.IntOpt(
  361. 'pool_retry_max',
  362. default=3,
  363. min=0,
  364. help=utils.fmt("""
  365. The maximum number of times to attempt reconnecting to the LDAP server before
  366. aborting. A value of zero prevents retries. This option has no effect unless
  367. `[ldap] use_pool` is also enabled.
  368. """))
  369. pool_retry_delay = cfg.FloatOpt(
  370. 'pool_retry_delay',
  371. default=0.1,
  372. help=utils.fmt("""
  373. The number of seconds to wait before attempting to reconnect to the LDAP
  374. server. This option has no effect unless `[ldap] use_pool` is also enabled.
  375. """))
  376. pool_connection_timeout = cfg.IntOpt(
  377. 'pool_connection_timeout',
  378. default=-1,
  379. min=-1,
  380. help=utils.fmt("""
  381. The connection timeout to use when pooling LDAP connections. A value of `-1`
  382. means that connections will never timeout. This option has no effect unless
  383. `[ldap] use_pool` is also enabled.
  384. """))
  385. pool_connection_lifetime = cfg.IntOpt(
  386. 'pool_connection_lifetime',
  387. default=600,
  388. min=1,
  389. help=utils.fmt("""
  390. The maximum connection lifetime to the LDAP server in seconds. When this
  391. lifetime is exceeded, the connection will be unbound and removed from the
  392. connection pool. This option has no effect unless `[ldap] use_pool` is also
  393. enabled.
  394. """))
  395. use_auth_pool = cfg.BoolOpt(
  396. 'use_auth_pool',
  397. default=True,
  398. help=utils.fmt("""
  399. Enable LDAP connection pooling for end user authentication. There is typically
  400. no reason to disable this.
  401. """))
  402. auth_pool_size = cfg.IntOpt(
  403. 'auth_pool_size',
  404. default=100,
  405. min=1,
  406. help=utils.fmt("""
  407. The size of the connection pool to use for end user authentication. This option
  408. has no effect unless `[ldap] use_auth_pool` is also enabled.
  409. """))
  410. auth_pool_connection_lifetime = cfg.IntOpt(
  411. 'auth_pool_connection_lifetime',
  412. default=60,
  413. min=1,
  414. help=utils.fmt("""
  415. The maximum end user authentication connection lifetime to the LDAP server in
  416. seconds. When this lifetime is exceeded, the connection will be unbound and
  417. removed from the connection pool. This option has no effect unless `[ldap]
  418. use_auth_pool` is also enabled.
  419. """))
  420. GROUP_NAME = __name__.split('.')[-1]
  421. ALL_OPTS = [
  422. url,
  423. user,
  424. password,
  425. suffix,
  426. query_scope,
  427. page_size,
  428. alias_dereferencing,
  429. debug_level,
  430. chase_referrals,
  431. user_tree_dn,
  432. user_filter,
  433. user_objectclass,
  434. user_id_attribute,
  435. user_name_attribute,
  436. user_description_attribute,
  437. user_mail_attribute,
  438. user_pass_attribute,
  439. user_enabled_attribute,
  440. user_enabled_invert,
  441. user_enabled_mask,
  442. user_enabled_default,
  443. user_attribute_ignore,
  444. user_default_project_id_attribute,
  445. user_enabled_emulation,
  446. user_enabled_emulation_dn,
  447. user_enabled_emulation_use_group_config,
  448. user_additional_attribute_mapping,
  449. group_tree_dn,
  450. group_filter,
  451. group_objectclass,
  452. group_id_attribute,
  453. group_name_attribute,
  454. group_member_attribute,
  455. group_members_are_ids,
  456. group_desc_attribute,
  457. group_attribute_ignore,
  458. group_additional_attribute_mapping,
  459. group_ad_nesting,
  460. tls_cacertfile,
  461. tls_cacertdir,
  462. use_tls,
  463. tls_req_cert,
  464. connection_timeout,
  465. use_pool,
  466. pool_size,
  467. pool_retry_max,
  468. pool_retry_delay,
  469. pool_connection_timeout,
  470. pool_connection_lifetime,
  471. use_auth_pool,
  472. auth_pool_size,
  473. auth_pool_connection_lifetime,
  474. ]
  475. def register_opts(conf):
  476. conf.register_opts(ALL_OPTS, group=GROUP_NAME)
  477. def list_opts():
  478. return {GROUP_NAME: ALL_OPTS}