Description of configuration options for ldap

Configuration option = Default value	Description
[ldap]
alias_dereferencing = default	(StrOpt) The LDAP dereferencing option for queries. This can be either "never", "searching", "always", "finding" or "default". The "default" option falls back to using default dereferencing configured by your ldap.conf.
allow_subtree_delete = False	(BoolOpt) allow deleting subtrees.
chase_referrals = None	(BoolOpt) Override the system's default referral chasing behavior for queries.
dumb_member = cn=dumb,dc=nonexistent	(StrOpt) DN of the "dummy member" to use when "use_dumb_member" is enabled.
group_additional_attribute_mapping =	(ListOpt) Additional attribute mappings for groups. Attribute mapping format is <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry and user_attr is the Identity API attribute.
group_allow_create = True	(BoolOpt) Allow group creation in LDAP backend.
group_allow_delete = True	(BoolOpt) Allow group deletion in LDAP backend.
group_allow_update = True	(BoolOpt) Allow group update in LDAP backend.
group_attribute_ignore =	(ListOpt) List of attributes stripped off the group on update.
group_desc_attribute = description	(StrOpt) LDAP attribute mapped to group description.
group_filter = None	(StrOpt) LDAP search filter for groups.
group_id_attribute = cn	(StrOpt) LDAP attribute mapped to group id.
group_member_attribute = member	(StrOpt) LDAP attribute mapped to show group membership.
group_name_attribute = ou	(StrOpt) LDAP attribute mapped to group name.
group_objectclass = groupOfNames	(StrOpt) LDAP objectClass for groups.
group_tree_dn = None	(StrOpt) Search base for groups.
page_size = 0	(IntOpt) Maximum results per page; a value of zero ("0") disables paging.
password = None	(StrOpt) Password for the BindDN to query the LDAP server.
query_scope = one	(StrOpt) The LDAP scope for queries, this can be either "one" (onelevel/singleLevel) or "sub" (subtree/wholeSubtree).
role_additional_attribute_mapping =	(ListOpt) Additional attribute mappings for roles. Attribute mapping format is <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry and user_attr is the Identity API attribute.
role_allow_create = True	(BoolOpt) Allow role creation in LDAP backend.
role_allow_delete = True	(BoolOpt) Allow role deletion in LDAP backend.
role_allow_update = True	(BoolOpt) Allow role update in LDAP backend.
role_attribute_ignore =	(ListOpt) List of attributes stripped off the role on update.
role_filter = None	(StrOpt) LDAP search filter for roles.
role_id_attribute = cn	(StrOpt) LDAP attribute mapped to role id.
role_member_attribute = roleOccupant	(StrOpt) LDAP attribute mapped to role membership.
role_name_attribute = ou	(StrOpt) LDAP attribute mapped to role name.
role_objectclass = organizationalRole	(StrOpt) LDAP objectClass for roles.
role_tree_dn = None	(StrOpt) Search base for roles.
suffix = cn=example,cn=com	(StrOpt) LDAP server suffix
tenant_additional_attribute_mapping =	(ListOpt) Additional attribute mappings for projects. Attribute mapping format is <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry and user_attr is the Identity API attribute.
tenant_allow_create = True	(BoolOpt) Allow tenant creation in LDAP backend.
tenant_allow_delete = True	(BoolOpt) Allow tenant deletion in LDAP backend.
tenant_allow_update = True	(BoolOpt) Allow tenant update in LDAP backend.
tenant_attribute_ignore =	(ListOpt) List of attributes stripped off the project on update.
tenant_desc_attribute = description	(StrOpt) LDAP attribute mapped to project description.
tenant_domain_id_attribute = businessCategory	(StrOpt) LDAP attribute mapped to project domain_id.
tenant_enabled_attribute = enabled	(StrOpt) LDAP attribute mapped to project enabled.
tenant_enabled_emulation = False	(BoolOpt) If True, Keystone uses an alternative method to determine if a project is enabled or not by checking if they are a member of the "tenant_enabled_emulation_dn" group.
tenant_enabled_emulation_dn = None	(StrOpt) DN of the group entry to hold enabled projects when using enabled emulation.
tenant_filter = None	(StrOpt) LDAP search filter for projects.
tenant_id_attribute = cn	(StrOpt) LDAP attribute mapped to project id.
tenant_member_attribute = member	(StrOpt) LDAP attribute mapped to project membership for user.
tenant_name_attribute = ou	(StrOpt) LDAP attribute mapped to project name.
tenant_objectclass = groupOfNames	(StrOpt) LDAP objectClass for projects.
tenant_tree_dn = None	(StrOpt) Search base for projects
tls_cacertdir = None	(StrOpt) CA certificate directory path for communicating with LDAP servers.
tls_cacertfile = None	(StrOpt) CA certificate file path for communicating with LDAP servers.
tls_req_cert = demand	(StrOpt) valid options for tls_req_cert are demand, never, and allow.
url = ldap://localhost	(StrOpt) URL for connecting to the LDAP server.
use_dumb_member = False	(BoolOpt) If true, will add a dummy member to groups. This is required if the objectclass for groups requires the "member" attribute.
use_tls = False	(BoolOpt) Enable TLS for communicating with LDAP servers.
user = None	(StrOpt) User BindDN to query the LDAP server.
user_additional_attribute_mapping =	(ListOpt) List of additional LDAP attributes used for mapping Additional attribute mappings for users. Attribute mapping format is <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry and user_attr is the Identity API attribute.
user_allow_create = True	(BoolOpt) Allow user creation in LDAP backend.
user_allow_delete = True	(BoolOpt) Allow user deletion in LDAP backend.
user_allow_update = True	(BoolOpt) Allow user updates in LDAP backend.
user_attribute_ignore = default_project_id, tenants	(ListOpt) List of attributes stripped off the user on update.
user_default_project_id_attribute = None	(StrOpt) LDAP attribute mapped to default_project_id for users.
user_enabled_attribute = enabled	(StrOpt) LDAP attribute mapped to user enabled flag.
user_enabled_default = True	(StrOpt) Default value to enable users. This should match an appropriate int value if the LDAP server uses non-boolean (bitmask) values to indicate if a user is enabled or disabled. If this is not set to "True"the typical value is "512". This is typically used when "user_enabled_attribute = userAccountControl".
user_enabled_emulation = False	(BoolOpt) If True, Keystone uses an alternative method to determine if a user is enabled or not by checking if they are a member of the "user_enabled_emulation_dn" group.
user_enabled_emulation_dn = None	(StrOpt) DN of the group entry to hold enabled users when using enabled emulation.
user_enabled_mask = 0	(IntOpt) Bitmask integer to indicate the bit that the enabled value is stored in if the LDAP server represents "enabled" as a bit on an integer rather than a boolean. A value of "0" indicates the mask is not used. If this is not set to "0" the typical value is "2". This is typically used when "user_enabled_attribute = userAccountControl".
user_filter = None	(StrOpt) LDAP search filter for users.
user_id_attribute = cn	(StrOpt) LDAP attribute mapped to user id.
user_mail_attribute = email	(StrOpt) LDAP attribute mapped to user email.
user_name_attribute = sn	(StrOpt) LDAP attribute mapped to user name.
user_objectclass = inetOrgPerson	(StrOpt) LDAP objectClass for users.
user_pass_attribute = userPassword	(StrOpt) LDAP attribute mapped to password.
user_tree_dn = None	(StrOpt) Search base for users.