small changes to section_keystone-token-binding file

changed such to so changed some wording around sentence added , removed the added mode Change-Id: I175ee91bcb67f03e6068d0df7f0924134b1b2816
2014-03-12 14:56:14 -04:00 · 2014-03-12 14:56:14 -04:00 · f006188e70
commit f006188e70
parent 25c95b418b
1 changed files with 54 additions and 53 deletions
--- a/doc/admin-guide-cloud/identity/section_keystone-token-binding.xml
+++ b/doc/admin-guide-cloud/identity/section_keystone-token-binding.xml
@ -1,56 +1,57 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <section xmlns="http://docbook.org/ns/docbook"
-    xmlns:xi="http://www.w3.org/2001/XInclude"
-    xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
-    xml:id="keystone-token-binding">
-    <title>Configure the Identity Service for token binding</title>
-    <para>Token binding refers to the practice of embedding
-    information from external authentication providers (like a
-    company's Kerberos server) inside the token such that a client may
-    enforce that the token only be used in conjunction with that
-    specified authentication. This is an additional security mechanism
-    as it means that if a token is stolen it will not be usable
-    without also providing the external authentication.</para>
-  <para>To activate token binding you must specify the types of
-    authentication that token binding should be used for in
-      <filename>keystone.conf</filename>:
-    <programlisting language="ini">[token]
-    bind = kerberos</programlisting>
-    Currently only <literal>kerberos</literal> is supported.</para>
-   <para>
-     To enforce checking of token binding the <literal>enforce_token_bind</literal>
-     parameter should be set to one of the following modes:
-     <itemizedlist>
-       <listitem>
-         <para><literal>disabled</literal> disable token bind
-         checking</para>
-       </listitem>
-       <listitem>
-         <para><literal>permissive</literal> enable bind checking, if
-         a token is bound to a mechanism that is unknown to the server
-         then ignore it. This is the default.</para>
-       </listitem>
-       <listitem>
-         <para><literal>strict</literal> enable bind checking, if a
-         token is bound to a mechanism that is unknown to the server
-         then this token should be rejected.</para>
-       </listitem>
-       <listitem>
-         <para><literal>required</literal> enable bind checking and
-         require that at least 1 bind mechanism is used for
-         tokens.</para>
-       </listitem>
-       <listitem>
-         <para><literal>named</literal> enable bind checking and
-         require that the specified authentication mechanism is used:
-<programlisting language="ini">[token]
-    enforce_token_bind = kerberos</programlisting>
-         </para>
-       </listitem>
-     </itemizedlist>
-     <note><para>Do not set <literal>enforce_token_bind =
-     named</literal> as there is not an authentication mechanism
-     called <literal>named</literal>.</para>
-     </note>
-   </para>
+  xmlns:xi="http://www.w3.org/2001/XInclude"
+  xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
+  xml:id="keystone-token-binding">
+  <title>Configure Identity service for token binding</title>
+  <para>Token binding embeds information from an external
+    authentication mechanism, such as a Kerberos server, inside a
+    token. By using token binding, a client can enforce the use of a
+    specified external authentication mechanism with the token. This
+    additional security mechanism ensures that if a token is stolen,
+    for example, it is not usable without external
+    authentication.</para>
+  <para>You configure the authentication types for a token binding in
+    the <filename>keystone.conf</filename> file:</para>
+  <programlisting language="ini">[token]
+bind = kerberos</programlisting>
+  <para>Currently only <literal>kerberos</literal> is
+    supported.</para>
+  <para>To enforce checking of token binding, set the
+      <option>enforce_token_bind</option> option to one of these
+    modes:</para>
+  <itemizedlist>
+    <listitem>
+      <para><literal>disabled</literal></para>
+      <para>Disables token bind checking.</para>
+    </listitem>
+    <listitem>
+      <para><literal>permissive</literal></para>
+      <para>Enables bind checking. If a token is bound to an unknown
+        authentication mechanism, the server ignores it. The default
+        is this mode.</para>
+    </listitem>
+    <listitem>
+      <para><literal>strict</literal></para>
+      <para>Enables bind checking. If a token is bound to an unknown
+        authentication mechanism, the server rejects it.</para>
+    </listitem>
+    <listitem>
+      <para><literal>required</literal></para>
+      <para>Enables bind checking. Requires use of at least
+        authentication mechanism for tokens.</para>
+    </listitem>
+    <listitem>
+      <para><literal>named</literal></para>
+      <para>Enables bind checking. Requires use of the specified
+        authentication mechanism for tokens:</para>
+      <programlisting language="ini">[token]
+enforce_token_bind = kerberos</programlisting>
+    </listitem>
+  </itemizedlist>
+  <note>
+    <para>Do not set <literal>enforce_token_bind = named</literal>.
+      The <literal>named</literal> authentication mechanism does not
+      exist.</para>
+  </note>
 </section>