.. Warning: Do not edit this file. It is automatically generated from the software project's code and your changes will be overwritten. The tool to generate this file lives in openstack-doc-tools repository. Please make any changes needed in the code, then run the autogenerate-config-doc tool from the openstack-doc-tools repository, or ask for help on the documentation mailing list, IRC channel or meeting. .. _keystone-ldap: .. list-table:: Description of LDAP configuration options :header-rows: 1 :class: config-ref-table * - Configuration option = Default value - Description * - **[ldap]** - * - ``alias_dereferencing`` = ``default`` - (String) The LDAP dereferencing option for queries. The "default" option falls back to using default dereferencing configured by your ldap.conf. * - ``allow_subtree_delete`` = ``False`` - (Boolean) Delete subtrees using the subtree delete control. Only enable this option if your LDAP server supports subtree deletion. * - ``auth_pool_connection_lifetime`` = ``60`` - (Integer) End user auth connection lifetime in seconds. * - ``auth_pool_size`` = ``100`` - (Integer) End user auth connection pool size. * - ``chase_referrals`` = ``None`` - (Boolean) Override the system's default referral chasing behavior for queries. * - ``debug_level`` = ``None`` - (Integer) Sets the LDAP debugging level for LDAP calls. A value of 0 means that debugging is not enabled. This value is a bitmask, consult your LDAP documentation for possible values. * - ``dumb_member`` = ``cn=dumb,dc=nonexistent`` - (String) DN of the "dummy member" to use when "use_dumb_member" is enabled. * - ``group_additional_attribute_mapping`` = - (List) Additional attribute mappings for groups. Attribute mapping format is :, where ldap_attr is the attribute in the LDAP entry and user_attr is the Identity API attribute. * - ``group_allow_create`` = ``True`` - (Boolean) DEPRECATED: Allow group creation in LDAP backend. Write support for Identity LDAP backends has been deprecated in the M release and will be removed in the O release. * - ``group_allow_delete`` = ``True`` - (Boolean) DEPRECATED: Allow group deletion in LDAP backend. Write support for Identity LDAP backends has been deprecated in the M release and will be removed in the O release. * - ``group_allow_update`` = ``True`` - (Boolean) DEPRECATED: Allow group update in LDAP backend. Write support for Identity LDAP backends has been deprecated in the M release and will be removed in the O release. * - ``group_attribute_ignore`` = - (List) List of attributes stripped off the group on update. * - ``group_desc_attribute`` = ``description`` - (String) LDAP attribute mapped to group description. * - ``group_filter`` = ``None`` - (String) LDAP search filter for groups. * - ``group_id_attribute`` = ``cn`` - (String) LDAP attribute mapped to group id. * - ``group_member_attribute`` = ``member`` - (String) LDAP attribute mapped to show group membership. * - ``group_members_are_ids`` = ``False`` - (Boolean) If the members of the group objectclass are user IDs rather than DNs, set this to true. This is the case when using posixGroup as the group objectclass and OpenDirectory. * - ``group_name_attribute`` = ``ou`` - (String) LDAP attribute mapped to group name. * - ``group_objectclass`` = ``groupOfNames`` - (String) LDAP objectclass for groups. * - ``group_tree_dn`` = ``None`` - (String) Search base for groups. Defaults to the suffix value. * - ``page_size`` = ``0`` - (Integer) Maximum results per page; a value of zero ("0") disables paging. * - ``password`` = ``None`` - (String) Password for the BindDN to query the LDAP server. * - ``pool_connection_lifetime`` = ``600`` - (Integer) Connection lifetime in seconds. * - ``pool_connection_timeout`` = ``-1`` - (Integer) Connector timeout in seconds. Value -1 indicates indefinite wait for response. * - ``pool_retry_delay`` = ``0.1`` - (Floating point) Time span in seconds to wait between two reconnect trials. * - ``pool_retry_max`` = ``3`` - (Integer) Maximum count of reconnect trials. * - ``pool_size`` = ``10`` - (Integer) Connection pool size. * - ``query_scope`` = ``one`` - (String) The LDAP scope for queries, "one" represents oneLevel/singleLevel and "sub" represents subtree/wholeSubtree options. * - ``suffix`` = ``cn=example,cn=com`` - (String) LDAP server suffix * - ``tls_cacertdir`` = ``None`` - (String) CA certificate directory path for communicating with LDAP servers. * - ``tls_cacertfile`` = ``None`` - (String) CA certificate file path for communicating with LDAP servers. * - ``tls_req_cert`` = ``demand`` - (String) Specifies what checks to perform on client certificates in an incoming TLS session. * - ``url`` = ``ldap://localhost`` - (String) URL(s) for connecting to the LDAP server. Multiple LDAP URLs may be specified as a comma separated string. The first URL to successfully bind is used for the connection. * - ``use_auth_pool`` = ``True`` - (Boolean) Enable LDAP connection pooling for end user authentication. If use_pool is disabled, then this setting is meaningless and is not used at all. * - ``use_dumb_member`` = ``False`` - (Boolean) If true, will add a dummy member to groups. This is required if the objectclass for groups requires the "member" attribute. * - ``use_pool`` = ``True`` - (Boolean) Enable LDAP connection pooling. * - ``use_tls`` = ``False`` - (Boolean) Enable TLS for communicating with LDAP servers. * - ``user`` = ``None`` - (String) User BindDN to query the LDAP server. * - ``user_additional_attribute_mapping`` = - (List) List of additional LDAP attributes used for mapping additional attribute mappings for users. Attribute mapping format is :, where ldap_attr is the attribute in the LDAP entry and user_attr is the Identity API attribute. * - ``user_allow_create`` = ``True`` - (Boolean) DEPRECATED: Allow user creation in LDAP backend. Write support for Identity LDAP backends has been deprecated in the M release and will be removed in the O release. * - ``user_allow_delete`` = ``True`` - (Boolean) DEPRECATED: Allow user deletion in LDAP backend. Write support for Identity LDAP backends has been deprecated in the M release and will be removed in the O release. * - ``user_allow_update`` = ``True`` - (Boolean) DEPRECATED: Allow user updates in LDAP backend. Write support for Identity LDAP backends has been deprecated in the M release and will be removed in the O release. * - ``user_attribute_ignore`` = ``default_project_id`` - (List) List of attributes stripped off the user on update. * - ``user_default_project_id_attribute`` = ``None`` - (String) LDAP attribute mapped to default_project_id for users. * - ``user_description_attribute`` = ``description`` - (String) LDAP attribute mapped to user description. * - ``user_enabled_attribute`` = ``enabled`` - (String) LDAP attribute mapped to user enabled flag. * - ``user_enabled_default`` = ``True`` - (String) Default value to enable users. This should match an appropriate int value if the LDAP server uses non-boolean (bitmask) values to indicate if a user is enabled or disabled. If this is not set to "True" the typical value is "512". This is typically used when "user_enabled_attribute = userAccountControl". * - ``user_enabled_emulation`` = ``False`` - (Boolean) If true, Keystone uses an alternative method to determine if a user is enabled or not by checking if they are a member of the "user_enabled_emulation_dn" group. * - ``user_enabled_emulation_dn`` = ``None`` - (String) DN of the group entry to hold enabled users when using enabled emulation. * - ``user_enabled_emulation_use_group_config`` = ``False`` - (Boolean) Use the "group_member_attribute" and "group_objectclass" settings to determine membership in the emulated enabled group. * - ``user_enabled_invert`` = ``False`` - (Boolean) Invert the meaning of the boolean enabled values. Some LDAP servers use a boolean lock attribute where "true" means an account is disabled. Setting "user_enabled_invert = true" will allow these lock attributes to be used. This setting will have no effect if "user_enabled_mask" or "user_enabled_emulation" settings are in use. * - ``user_enabled_mask`` = ``0`` - (Integer) Bitmask integer to indicate the bit that the enabled value is stored in if the LDAP server represents "enabled" as a bit on an integer rather than a boolean. A value of "0" indicates the mask is not used. If this is not set to "0" the typical value is "2". This is typically used when "user_enabled_attribute = userAccountControl". * - ``user_filter`` = ``None`` - (String) LDAP search filter for users. * - ``user_id_attribute`` = ``cn`` - (String) LDAP attribute mapped to user id. WARNING: must not be a multivalued attribute. * - ``user_mail_attribute`` = ``mail`` - (String) LDAP attribute mapped to user email. * - ``user_name_attribute`` = ``sn`` - (String) LDAP attribute mapped to user name. * - ``user_objectclass`` = ``inetOrgPerson`` - (String) LDAP objectclass for users. * - ``user_pass_attribute`` = ``userPassword`` - (String) LDAP attribute mapped to password. * - ``user_tree_dn`` = ``None`` - (String) Search base for users. Defaults to the suffix value.