Identity service sample configuration files

Identity service sample configuration files You can find the files described in this section in the /etc/keystone directory.

keystone.conf Use the keystone.conf file to configure most Identity service options:

keystone-paste.ini Use the keystone-paste.ini file to configure the Web Service Gateway Interface (WSGI) middleware pipeline for the Identity service.

logging.conf You can specify a special logging configuration file in the keystone.conf configuration file. For example, /etc/keystone/logging.conf. For details, see the (Python logging module documentation).

policy.json Use the policy.json file to define additional access controls that apply to the Identity service.

Domain-specific configuration Identity enables you to configure domain-specific authentication drivers which allows a domain to have its own LDAP or SQL server.

Enable domain-specific drivers By default, the option to configure domain-specific drivers is disabled. To enable domain-specific drivers, set these options in the keystone.conf file: [identity] domain_specific_drivers_enabled = True domain_config_dir = /etc/keystone/domains When you enable domain-specific drivers, Identity looks in the directory for configuration files that are named as keystone.DOMAIN_NAME.conf. Any domain without a domain-specific configuration file uses options in the primary configuration file.

Domain-specific configuration file options Any options that you define in the domain-specific configuration file override options in the primary configuration file for the specified domain. Domains configured for the service user or project use the Identity API v3 to retrieve the service token. To configure the domain for the service user, set the following options in the [DEFAULT] section of the /etc/keystone/domains/keystone.DOMAIN_NAME.conf file: admin_user_domain_id = USER_DOMAIN_ID admin_user_domain_name = USER_DOMAIN_NAME Replace USER_DOMAIN_ID with the Identity service account user domain ID, and USER_DOMAIN_NAME with the Identity service account user domain name. To configure the domain for the project, set the following options in the [DEFAULT] section of the /etc/keystone/domains/keystone.DOMAIN_NAME.conf file: admin_project_domain_id = PROJECT_DOMAIN_ID admin_project_domain_name = PROJECT_DOMAIN_NAME Replace PROJECT_DOMAIN_ID with the Identity service account project domain ID, and PROJECT_DOMAIN_NAME with the Identity service account project domain name.