Description of LDAP configuration options

Configuration option = Default value	Description
[ldap]
alias_dereferencing = default	(StrOpt) The LDAP dereferencing option for queries. The "default" option falls back to using default dereferencing configured by your ldap.conf.
allow_subtree_delete = False	(BoolOpt) Delete subtrees using the subtree delete control. Only enable this option if your LDAP server supports subtree deletion.
auth_pool_connection_lifetime = 60	(IntOpt) End user auth connection lifetime in seconds.
auth_pool_size = 100	(IntOpt) End user auth connection pool size.
chase_referrals = None	(BoolOpt) Override the system's default referral chasing behavior for queries.
debug_level = None	(IntOpt) Sets the LDAP debugging level for LDAP calls. A value of 0 means that debugging is not enabled. This value is a bitmask, consult your LDAP documentation for possible values.
dumb_member = cn=dumb,dc=nonexistent	(StrOpt) DN of the "dummy member" to use when "use_dumb_member" is enabled.
group_additional_attribute_mapping =	(ListOpt) Additional attribute mappings for groups. Attribute mapping format is <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry and user_attr is the Identity API attribute.
group_allow_create = True	(BoolOpt) Allow group creation in LDAP backend.
group_allow_delete = True	(BoolOpt) Allow group deletion in LDAP backend.
group_allow_update = True	(BoolOpt) Allow group update in LDAP backend.
group_attribute_ignore =	(ListOpt) List of attributes stripped off the group on update.
group_desc_attribute = description	(StrOpt) LDAP attribute mapped to group description.
group_filter = None	(StrOpt) LDAP search filter for groups.
group_id_attribute = cn	(StrOpt) LDAP attribute mapped to group id.
group_member_attribute = member	(StrOpt) LDAP attribute mapped to show group membership.
group_name_attribute = ou	(StrOpt) LDAP attribute mapped to group name.
group_objectclass = groupOfNames	(StrOpt) LDAP objectclass for groups.
group_tree_dn = None	(StrOpt) Search base for groups. Defaults to the suffix value.
page_size = 0	(IntOpt) Maximum results per page; a value of zero ("0") disables paging.
password = None	(StrOpt) Password for the BindDN to query the LDAP server.
pool_connection_lifetime = 600	(IntOpt) Connection lifetime in seconds.
pool_connection_timeout = -1	(IntOpt) Connector timeout in seconds. Value -1 indicates indefinite wait for response.
pool_retry_delay = 0.1	(FloatOpt) Time span in seconds to wait between two reconnect trials.
pool_retry_max = 3	(IntOpt) Maximum count of reconnect trials.
pool_size = 10	(IntOpt) Connection pool size.
project_additional_attribute_mapping =	(ListOpt) Additional attribute mappings for projects. Attribute mapping format is <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry and user_attr is the Identity API attribute.
project_allow_create = True	(BoolOpt) Allow project creation in LDAP backend.
project_allow_delete = True	(BoolOpt) Allow project deletion in LDAP backend.
project_allow_update = True	(BoolOpt) Allow project update in LDAP backend.
project_attribute_ignore =	(ListOpt) List of attributes stripped off the project on update.
project_desc_attribute = description	(StrOpt) LDAP attribute mapped to project description.
project_domain_id_attribute = businessCategory	(StrOpt) LDAP attribute mapped to project domain_id.
project_enabled_attribute = enabled	(StrOpt) LDAP attribute mapped to project enabled.
project_enabled_emulation = False	(BoolOpt) If true, Keystone uses an alternative method to determine if a project is enabled or not by checking if they are a member of the "project_enabled_emulation_dn" group.
project_enabled_emulation_dn = None	(StrOpt) DN of the group entry to hold enabled projects when using enabled emulation.
project_filter = None	(StrOpt) LDAP search filter for projects.
project_id_attribute = cn	(StrOpt) LDAP attribute mapped to project id.
project_member_attribute = member	(StrOpt) LDAP attribute mapped to project membership for user.
project_name_attribute = ou	(StrOpt) LDAP attribute mapped to project name.
project_objectclass = groupOfNames	(StrOpt) LDAP objectclass for projects.
project_tree_dn = None	(StrOpt) Search base for projects. Defaults to the suffix value.
query_scope = one	(StrOpt) The LDAP scope for queries, "one" represents oneLevel/singleLevel and "sub" represents subtree/wholeSubtree options.
role_additional_attribute_mapping =	(ListOpt) Additional attribute mappings for roles. Attribute mapping format is <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry and user_attr is the Identity API attribute.
role_allow_create = True	(BoolOpt) Allow role creation in LDAP backend.
role_allow_delete = True	(BoolOpt) Allow role deletion in LDAP backend.
role_allow_update = True	(BoolOpt) Allow role update in LDAP backend.
role_attribute_ignore =	(ListOpt) List of attributes stripped off the role on update.
role_filter = None	(StrOpt) LDAP search filter for roles.
role_id_attribute = cn	(StrOpt) LDAP attribute mapped to role id.
role_member_attribute = roleOccupant	(StrOpt) LDAP attribute mapped to role membership.
role_name_attribute = ou	(StrOpt) LDAP attribute mapped to role name.
role_objectclass = organizationalRole	(StrOpt) LDAP objectclass for roles.
role_tree_dn = None	(StrOpt) Search base for roles. Defaults to the suffix value.
suffix = cn=example,cn=com	(StrOpt) LDAP server suffix
tls_cacertdir = None	(StrOpt) CA certificate directory path for communicating with LDAP servers.
tls_cacertfile = None	(StrOpt) CA certificate file path for communicating with LDAP servers.
tls_req_cert = demand	(StrOpt) Specifies what checks to perform on client certificates in an incoming TLS session.
url = ldap://localhost	(StrOpt) URL for connecting to the LDAP server.
use_auth_pool = False	(BoolOpt) Enable LDAP connection pooling for end user authentication. If use_pool is disabled, then this setting is meaningless and is not used at all.
use_dumb_member = False	(BoolOpt) If true, will add a dummy member to groups. This is required if the objectclass for groups requires the "member" attribute.
use_pool = False	(BoolOpt) Enable LDAP connection pooling.
use_tls = False	(BoolOpt) Enable TLS for communicating with LDAP servers.
user = None	(StrOpt) User BindDN to query the LDAP server.
user_additional_attribute_mapping =	(ListOpt) List of additional LDAP attributes used for mapping additional attribute mappings for users. Attribute mapping format is <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry and user_attr is the Identity API attribute.
user_allow_create = True	(BoolOpt) Allow user creation in LDAP backend.
user_allow_delete = True	(BoolOpt) Allow user deletion in LDAP backend.
user_allow_update = True	(BoolOpt) Allow user updates in LDAP backend.
user_attribute_ignore = default_project_id	(ListOpt) List of attributes stripped off the user on update.
user_default_project_id_attribute = None	(StrOpt) LDAP attribute mapped to default_project_id for users.
user_enabled_attribute = enabled	(StrOpt) LDAP attribute mapped to user enabled flag.
user_enabled_default = True	(StrOpt) Default value to enable users. This should match an appropriate int value if the LDAP server uses non-boolean (bitmask) values to indicate if a user is enabled or disabled. If this is not set to "True" the typical value is "512". This is typically used when "user_enabled_attribute = userAccountControl".
user_enabled_emulation = False	(BoolOpt) If true, Keystone uses an alternative method to determine if a user is enabled or not by checking if they are a member of the "user_enabled_emulation_dn" group.
user_enabled_emulation_dn = None	(StrOpt) DN of the group entry to hold enabled users when using enabled emulation.
user_enabled_invert = False	(BoolOpt) Invert the meaning of the boolean enabled values. Some LDAP servers use a boolean lock attribute where "true" means an account is disabled. Setting "user_enabled_invert = true" will allow these lock attributes to be used. This setting will have no effect if "user_enabled_mask" or "user_enabled_emulation" settings are in use.
user_enabled_mask = 0	(IntOpt) Bitmask integer to indicate the bit that the enabled value is stored in if the LDAP server represents "enabled" as a bit on an integer rather than a boolean. A value of "0" indicates the mask is not used. If this is not set to "0" the typical value is "2". This is typically used when "user_enabled_attribute = userAccountControl".
user_filter = None	(StrOpt) LDAP search filter for users.
user_id_attribute = cn	(StrOpt) LDAP attribute mapped to user id. WARNING: must not be a multivalued attribute.
user_mail_attribute = mail	(StrOpt) LDAP attribute mapped to user email.
user_name_attribute = sn	(StrOpt) LDAP attribute mapped to user name.
user_objectclass = inetOrgPerson	(StrOpt) LDAP objectclass for users.
user_pass_attribute = userPassword	(StrOpt) LDAP attribute mapped to password.
user_tree_dn = None	(StrOpt) Search base for users. Defaults to the suffix value.