8b2016b5d0
Include the new tables in the documentation. Fix the cinder-prophetstor_dpl.xml filename and the xiv category. Manually fix those files for niceness test: - glance-logging.xml (lines 34, 38), fixed in oslo-incubator - trove-logging.xml (lines 26, 30), fixed in oslo-incubator - neutron-openvswitch_agent.xml (line 45), to be fixed in neutron Closes-Bug: #1340858 Closes-Bug: #1344231 Closes-Bug: #1345956 Closes-Bug: #1346711 Closes-Bug: #1347978 Partial-Bug: #1348329 Closes-Bug: #1352074 Partial-Bug: #1353417 Closes-Bug: #1354622 Closes-Bug: #1339754 Closes-Bug: #1358598 Closes-Bug: #1358259 Closes-Bug: #1357865 Partial-Bug: #1357457 Closes-Bug: #1357421 Change-Id: Id2da7d7762ca954bd552dbf89a9ff28b144efb68
351 lines
14 KiB
XML
351 lines
14 KiB
XML
<?xml version='1.0' encoding='UTF-8'?>
|
|
<para xmlns="http://docbook.org/ns/docbook" version="5.0">
|
|
<!-- Warning: Do not edit this file. It is automatically
|
|
generated and your changes will be overwritten.
|
|
The tool to do so lives in openstack-doc-tools repository. -->
|
|
<table rules="all" xml:id="config_table_keystone_ldap">
|
|
<caption>Description of configuration options for ldap</caption>
|
|
<col width="50%"/>
|
|
<col width="50%"/>
|
|
<thead>
|
|
<tr>
|
|
<th>Configuration option = Default value</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<th colspan="2">[ldap]</th>
|
|
</tr>
|
|
<tr>
|
|
<td>alias_dereferencing = default</td>
|
|
<td>(StrOpt) The LDAP dereferencing option for queries. This can be either "never", "searching", "always", "finding" or "default". The "default" option falls back to using default dereferencing configured by your ldap.conf.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>allow_subtree_delete = False</td>
|
|
<td>(BoolOpt) Delete subtrees using the subtree delete control. Only enable this option if your LDAP server supports subtree deletion.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>auth_pool_connection_lifetime = 60</td>
|
|
<td>(IntOpt) End user auth connection lifetime in seconds.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>auth_pool_size = 100</td>
|
|
<td>(IntOpt) End user auth connection pool size.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>chase_referrals = None</td>
|
|
<td>(BoolOpt) Override the system's default referral chasing behavior for queries.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>debug_level = None</td>
|
|
<td>(IntOpt) Sets the LDAP debugging level for LDAP calls. A value of 0 means that debugging is not enabled. This value is a bitmask, consult your LDAP documentation for possible values.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>dumb_member = cn=dumb,dc=nonexistent</td>
|
|
<td>(StrOpt) DN of the "dummy member" to use when "use_dumb_member" is enabled.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>group_additional_attribute_mapping = </td>
|
|
<td>(ListOpt) Additional attribute mappings for groups. Attribute mapping format is <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry and user_attr is the Identity API attribute.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>group_allow_create = True</td>
|
|
<td>(BoolOpt) Allow group creation in LDAP backend.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>group_allow_delete = True</td>
|
|
<td>(BoolOpt) Allow group deletion in LDAP backend.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>group_allow_update = True</td>
|
|
<td>(BoolOpt) Allow group update in LDAP backend.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>group_attribute_ignore = </td>
|
|
<td>(ListOpt) List of attributes stripped off the group on update.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>group_desc_attribute = description</td>
|
|
<td>(StrOpt) LDAP attribute mapped to group description.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>group_filter = None</td>
|
|
<td>(StrOpt) LDAP search filter for groups.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>group_id_attribute = cn</td>
|
|
<td>(StrOpt) LDAP attribute mapped to group id.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>group_member_attribute = member</td>
|
|
<td>(StrOpt) LDAP attribute mapped to show group membership.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>group_name_attribute = ou</td>
|
|
<td>(StrOpt) LDAP attribute mapped to group name.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>group_objectclass = groupOfNames</td>
|
|
<td>(StrOpt) LDAP objectclass for groups.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>group_tree_dn = None</td>
|
|
<td>(StrOpt) Search base for groups.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>page_size = 0</td>
|
|
<td>(IntOpt) Maximum results per page; a value of zero ("0") disables paging.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>password = None</td>
|
|
<td>(StrOpt) Password for the BindDN to query the LDAP server.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>pool_connection_lifetime = 600</td>
|
|
<td>(IntOpt) Connection lifetime in seconds.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>pool_connection_timeout = -1</td>
|
|
<td>(IntOpt) Connector timeout in seconds. Value -1 indicates indefinite wait for response.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>pool_retry_delay = 0.1</td>
|
|
<td>(FloatOpt) Time span in seconds to wait between two reconnect trials.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>pool_retry_max = 3</td>
|
|
<td>(IntOpt) Maximum count of reconnect trials.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>pool_size = 10</td>
|
|
<td>(IntOpt) Connection pool size.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>project_additional_attribute_mapping = </td>
|
|
<td>(ListOpt) Additional attribute mappings for projects. Attribute mapping format is <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry and user_attr is the Identity API attribute.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>project_allow_create = True</td>
|
|
<td>(BoolOpt) Allow project creation in LDAP backend.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>project_allow_delete = True</td>
|
|
<td>(BoolOpt) Allow project deletion in LDAP backend.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>project_allow_update = True</td>
|
|
<td>(BoolOpt) Allow project update in LDAP backend.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>project_attribute_ignore = </td>
|
|
<td>(ListOpt) List of attributes stripped off the project on update.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>project_desc_attribute = description</td>
|
|
<td>(StrOpt) LDAP attribute mapped to project description.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>project_domain_id_attribute = businessCategory</td>
|
|
<td>(StrOpt) LDAP attribute mapped to project domain_id.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>project_enabled_attribute = enabled</td>
|
|
<td>(StrOpt) LDAP attribute mapped to project enabled.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>project_enabled_emulation = False</td>
|
|
<td>(BoolOpt) If true, Keystone uses an alternative method to determine if a project is enabled or not by checking if they are a member of the "project_enabled_emulation_dn" group.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>project_enabled_emulation_dn = None</td>
|
|
<td>(StrOpt) DN of the group entry to hold enabled projects when using enabled emulation.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>project_filter = None</td>
|
|
<td>(StrOpt) LDAP search filter for projects.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>project_id_attribute = cn</td>
|
|
<td>(StrOpt) LDAP attribute mapped to project id.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>project_member_attribute = member</td>
|
|
<td>(StrOpt) LDAP attribute mapped to project membership for user.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>project_name_attribute = ou</td>
|
|
<td>(StrOpt) LDAP attribute mapped to project name.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>project_objectclass = groupOfNames</td>
|
|
<td>(StrOpt) LDAP objectclass for projects.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>project_tree_dn = None</td>
|
|
<td>(StrOpt) Search base for projects</td>
|
|
</tr>
|
|
<tr>
|
|
<td>query_scope = one</td>
|
|
<td>(StrOpt) The LDAP scope for queries, this can be either "one" (onelevel/singleLevel) or "sub" (subtree/wholeSubtree).</td>
|
|
</tr>
|
|
<tr>
|
|
<td>role_additional_attribute_mapping = </td>
|
|
<td>(ListOpt) Additional attribute mappings for roles. Attribute mapping format is <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry and user_attr is the Identity API attribute.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>role_allow_create = True</td>
|
|
<td>(BoolOpt) Allow role creation in LDAP backend.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>role_allow_delete = True</td>
|
|
<td>(BoolOpt) Allow role deletion in LDAP backend.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>role_allow_update = True</td>
|
|
<td>(BoolOpt) Allow role update in LDAP backend.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>role_attribute_ignore = </td>
|
|
<td>(ListOpt) List of attributes stripped off the role on update.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>role_filter = None</td>
|
|
<td>(StrOpt) LDAP search filter for roles.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>role_id_attribute = cn</td>
|
|
<td>(StrOpt) LDAP attribute mapped to role id.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>role_member_attribute = roleOccupant</td>
|
|
<td>(StrOpt) LDAP attribute mapped to role membership.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>role_name_attribute = ou</td>
|
|
<td>(StrOpt) LDAP attribute mapped to role name.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>role_objectclass = organizationalRole</td>
|
|
<td>(StrOpt) LDAP objectclass for roles.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>role_tree_dn = None</td>
|
|
<td>(StrOpt) Search base for roles.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>suffix = cn=example,cn=com</td>
|
|
<td>(StrOpt) LDAP server suffix</td>
|
|
</tr>
|
|
<tr>
|
|
<td>tls_cacertdir = None</td>
|
|
<td>(StrOpt) CA certificate directory path for communicating with LDAP servers.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>tls_cacertfile = None</td>
|
|
<td>(StrOpt) CA certificate file path for communicating with LDAP servers.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>tls_req_cert = demand</td>
|
|
<td>(StrOpt) Valid options for tls_req_cert are demand, never, and allow.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>url = ldap://localhost</td>
|
|
<td>(StrOpt) URL for connecting to the LDAP server.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>use_auth_pool = False</td>
|
|
<td>(BoolOpt) Enable LDAP connection pooling for end user authentication. If use_pool is disabled, then this setting is meaningless and is not used at all.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>use_dumb_member = False</td>
|
|
<td>(BoolOpt) If true, will add a dummy member to groups. This is required if the objectclass for groups requires the "member" attribute.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>use_pool = False</td>
|
|
<td>(BoolOpt) Enable LDAP connection pooling.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>use_tls = False</td>
|
|
<td>(BoolOpt) Enable TLS for communicating with LDAP servers.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>user = None</td>
|
|
<td>(StrOpt) User BindDN to query the LDAP server.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>user_additional_attribute_mapping = </td>
|
|
<td>(ListOpt) List of additional LDAP attributes used for mapping additional attribute mappings for users. Attribute mapping format is <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry and user_attr is the Identity API attribute.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>user_allow_create = True</td>
|
|
<td>(BoolOpt) Allow user creation in LDAP backend.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>user_allow_delete = True</td>
|
|
<td>(BoolOpt) Allow user deletion in LDAP backend.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>user_allow_update = True</td>
|
|
<td>(BoolOpt) Allow user updates in LDAP backend.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>user_attribute_ignore = default_project_id, tenants</td>
|
|
<td>(ListOpt) List of attributes stripped off the user on update.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>user_default_project_id_attribute = None</td>
|
|
<td>(StrOpt) LDAP attribute mapped to default_project_id for users.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>user_enabled_attribute = enabled</td>
|
|
<td>(StrOpt) LDAP attribute mapped to user enabled flag.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>user_enabled_default = True</td>
|
|
<td>(StrOpt) Default value to enable users. This should match an appropriate int value if the LDAP server uses non-boolean (bitmask) values to indicate if a user is enabled or disabled. If this is not set to "True" the typical value is "512". This is typically used when "user_enabled_attribute = userAccountControl".</td>
|
|
</tr>
|
|
<tr>
|
|
<td>user_enabled_emulation = False</td>
|
|
<td>(BoolOpt) If true, Keystone uses an alternative method to determine if a user is enabled or not by checking if they are a member of the "user_enabled_emulation_dn" group.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>user_enabled_emulation_dn = None</td>
|
|
<td>(StrOpt) DN of the group entry to hold enabled users when using enabled emulation.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>user_enabled_mask = 0</td>
|
|
<td>(IntOpt) Bitmask integer to indicate the bit that the enabled value is stored in if the LDAP server represents "enabled" as a bit on an integer rather than a boolean. A value of "0" indicates the mask is not used. If this is not set to "0" the typical value is "2". This is typically used when "user_enabled_attribute = userAccountControl".</td>
|
|
</tr>
|
|
<tr>
|
|
<td>user_filter = None</td>
|
|
<td>(StrOpt) LDAP search filter for users.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>user_id_attribute = cn</td>
|
|
<td>(StrOpt) LDAP attribute mapped to user id.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>user_mail_attribute = mail</td>
|
|
<td>(StrOpt) LDAP attribute mapped to user email.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>user_name_attribute = sn</td>
|
|
<td>(StrOpt) LDAP attribute mapped to user name.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>user_objectclass = inetOrgPerson</td>
|
|
<td>(StrOpt) LDAP objectclass for users.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>user_pass_attribute = userPassword</td>
|
|
<td>(StrOpt) LDAP attribute mapped to password.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>user_tree_dn = None</td>
|
|
<td>(StrOpt) Search base for users.</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</para>
|