small changes to section_keystone-token-binding file

changed such to so
changed some wording around sentence
added ,
removed the
added mode

Change-Id: I175ee91bcb67f03e6068d0df7f0924134b1b2816
This commit is contained in:
Shilla Saebi 2014-03-12 14:56:14 -04:00 committed by Diane Fleming
parent 25c95b418b
commit f006188e70

View File

@ -3,54 +3,55 @@
xmlns:xi="http://www.w3.org/2001/XInclude" xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
xml:id="keystone-token-binding"> xml:id="keystone-token-binding">
<title>Configure the Identity Service for token binding</title> <title>Configure Identity service for token binding</title>
<para>Token binding refers to the practice of embedding <para>Token binding embeds information from an external
information from external authentication providers (like a authentication mechanism, such as a Kerberos server, inside a
company's Kerberos server) inside the token such that a client may token. By using token binding, a client can enforce the use of a
enforce that the token only be used in conjunction with that specified external authentication mechanism with the token. This
specified authentication. This is an additional security mechanism additional security mechanism ensures that if a token is stolen,
as it means that if a token is stolen it will not be usable for example, it is not usable without external
without also providing the external authentication.</para> authentication.</para>
<para>To activate token binding you must specify the types of <para>You configure the authentication types for a token binding in
authentication that token binding should be used for in the <filename>keystone.conf</filename> file:</para>
<filename>keystone.conf</filename>:
<programlisting language="ini">[token] <programlisting language="ini">[token]
bind = kerberos</programlisting> bind = kerberos</programlisting>
Currently only <literal>kerberos</literal> is supported.</para> <para>Currently only <literal>kerberos</literal> is
<para> supported.</para>
To enforce checking of token binding the <literal>enforce_token_bind</literal> <para>To enforce checking of token binding, set the
parameter should be set to one of the following modes: <option>enforce_token_bind</option> option to one of these
modes:</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para><literal>disabled</literal> disable token bind <para><literal>disabled</literal></para>
checking</para> <para>Disables token bind checking.</para>
</listitem> </listitem>
<listitem> <listitem>
<para><literal>permissive</literal> enable bind checking, if <para><literal>permissive</literal></para>
a token is bound to a mechanism that is unknown to the server <para>Enables bind checking. If a token is bound to an unknown
then ignore it. This is the default.</para> authentication mechanism, the server ignores it. The default
is this mode.</para>
</listitem> </listitem>
<listitem> <listitem>
<para><literal>strict</literal> enable bind checking, if a <para><literal>strict</literal></para>
token is bound to a mechanism that is unknown to the server <para>Enables bind checking. If a token is bound to an unknown
then this token should be rejected.</para> authentication mechanism, the server rejects it.</para>
</listitem> </listitem>
<listitem> <listitem>
<para><literal>required</literal> enable bind checking and <para><literal>required</literal></para>
require that at least 1 bind mechanism is used for <para>Enables bind checking. Requires use of at least
tokens.</para> authentication mechanism for tokens.</para>
</listitem> </listitem>
<listitem> <listitem>
<para><literal>named</literal> enable bind checking and <para><literal>named</literal></para>
require that the specified authentication mechanism is used: <para>Enables bind checking. Requires use of the specified
authentication mechanism for tokens:</para>
<programlisting language="ini">[token] <programlisting language="ini">[token]
enforce_token_bind = kerberos</programlisting> enforce_token_bind = kerberos</programlisting>
</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<note><para>Do not set <literal>enforce_token_bind = <note>
named</literal> as there is not an authentication mechanism <para>Do not set <literal>enforce_token_bind = named</literal>.
called <literal>named</literal>.</para> The <literal>named</literal> authentication mechanism does not
exist.</para>
</note> </note>
</para>
</section> </section>