38a4da963d
This patch imports the autogenerated tables for keystone. Actual use of these tables will be done in another patch. Change-Id: Ib035c8469820aca7a7cf880f1bea758e9ea855d1 Partial-Bug: #1277330
312 lines
15 KiB
XML
312 lines
15 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!-- Warning: Do not edit this file. It is automatically
|
|
generated and your changes will be overwritten.
|
|
The tool to do so lives in the tools directory of this
|
|
repository -->
|
|
<para xmlns="http://docbook.org/ns/docbook" version="5.0">
|
|
<table rules="all" xml:id="config_table_keystone_ldap">
|
|
<caption>Description of configuration options for ldap</caption>
|
|
<col width="50%"/>
|
|
<col width="50%"/>
|
|
<thead>
|
|
<tr>
|
|
<th>Configuration option = Default value</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<th colspan="2">[ldap]</th>
|
|
</tr>
|
|
<tr>
|
|
<td>alias_dereferencing = default</td>
|
|
<td>(StrOpt) The LDAP dereferencing option for queries. This can be either "never", "searching", "always", "finding" or "default". The "default" option falls back to using default dereferencing configured by your ldap.conf.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>allow_subtree_delete = False</td>
|
|
<td>(BoolOpt) allow deleting subtrees.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>chase_referrals = None</td>
|
|
<td>(BoolOpt) Override the system's default referral chasing behavior for queries.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>dumb_member = cn=dumb,dc=nonexistent</td>
|
|
<td>(StrOpt) DN of the "dummy member" to use when "use_dumb_member" is enabled.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>group_additional_attribute_mapping = </td>
|
|
<td>(ListOpt) Additional attribute mappings for groups. Attribute mapping format is <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry and user_attr is the Identity API attribute.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>group_allow_create = True</td>
|
|
<td>(BoolOpt) Allow group creation in LDAP backend.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>group_allow_delete = True</td>
|
|
<td>(BoolOpt) Allow group deletion in LDAP backend.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>group_allow_update = True</td>
|
|
<td>(BoolOpt) Allow group update in LDAP backend.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>group_attribute_ignore = </td>
|
|
<td>(ListOpt) List of attributes stripped off the group on update.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>group_desc_attribute = description</td>
|
|
<td>(StrOpt) LDAP attribute mapped to group description.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>group_filter = None</td>
|
|
<td>(StrOpt) LDAP search filter for groups.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>group_id_attribute = cn</td>
|
|
<td>(StrOpt) LDAP attribute mapped to group id.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>group_member_attribute = member</td>
|
|
<td>(StrOpt) LDAP attribute mapped to show group membership.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>group_name_attribute = ou</td>
|
|
<td>(StrOpt) LDAP attribute mapped to group name.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>group_objectclass = groupOfNames</td>
|
|
<td>(StrOpt) LDAP objectClass for groups.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>group_tree_dn = None</td>
|
|
<td>(StrOpt) Search base for groups.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>page_size = 0</td>
|
|
<td>(IntOpt) Maximum results per page; a value of zero ("0") disables paging.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>password = None</td>
|
|
<td>(StrOpt) Password for the BindDN to query the LDAP server.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>query_scope = one</td>
|
|
<td>(StrOpt) The LDAP scope for queries, this can be either "one" (onelevel/singleLevel) or "sub" (subtree/wholeSubtree).</td>
|
|
</tr>
|
|
<tr>
|
|
<td>role_additional_attribute_mapping = </td>
|
|
<td>(ListOpt) Additional attribute mappings for roles. Attribute mapping format is <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry and user_attr is the Identity API attribute.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>role_allow_create = True</td>
|
|
<td>(BoolOpt) Allow role creation in LDAP backend.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>role_allow_delete = True</td>
|
|
<td>(BoolOpt) Allow role deletion in LDAP backend.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>role_allow_update = True</td>
|
|
<td>(BoolOpt) Allow role update in LDAP backend.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>role_attribute_ignore = </td>
|
|
<td>(ListOpt) List of attributes stripped off the role on update.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>role_filter = None</td>
|
|
<td>(StrOpt) LDAP search filter for roles.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>role_id_attribute = cn</td>
|
|
<td>(StrOpt) LDAP attribute mapped to role id.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>role_member_attribute = roleOccupant</td>
|
|
<td>(StrOpt) LDAP attribute mapped to role membership.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>role_name_attribute = ou</td>
|
|
<td>(StrOpt) LDAP attribute mapped to role name.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>role_objectclass = organizationalRole</td>
|
|
<td>(StrOpt) LDAP objectClass for roles.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>role_tree_dn = None</td>
|
|
<td>(StrOpt) Search base for roles.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>suffix = cn=example,cn=com</td>
|
|
<td>(StrOpt) LDAP server suffix</td>
|
|
</tr>
|
|
<tr>
|
|
<td>tenant_additional_attribute_mapping = </td>
|
|
<td>(ListOpt) Additional attribute mappings for projects. Attribute mapping format is <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry and user_attr is the Identity API attribute.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>tenant_allow_create = True</td>
|
|
<td>(BoolOpt) Allow tenant creation in LDAP backend.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>tenant_allow_delete = True</td>
|
|
<td>(BoolOpt) Allow tenant deletion in LDAP backend.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>tenant_allow_update = True</td>
|
|
<td>(BoolOpt) Allow tenant update in LDAP backend.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>tenant_attribute_ignore = </td>
|
|
<td>(ListOpt) List of attributes stripped off the project on update.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>tenant_desc_attribute = description</td>
|
|
<td>(StrOpt) LDAP attribute mapped to project description.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>tenant_domain_id_attribute = businessCategory</td>
|
|
<td>(StrOpt) LDAP attribute mapped to project domain_id.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>tenant_enabled_attribute = enabled</td>
|
|
<td>(StrOpt) LDAP attribute mapped to project enabled.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>tenant_enabled_emulation = False</td>
|
|
<td>(BoolOpt) If True, Keystone uses an alternative method to determine if a project is enabled or not by checking if they are a member of the "tenant_enabled_emulation_dn" group.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>tenant_enabled_emulation_dn = None</td>
|
|
<td>(StrOpt) DN of the group entry to hold enabled projects when using enabled emulation.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>tenant_filter = None</td>
|
|
<td>(StrOpt) LDAP search filter for projects.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>tenant_id_attribute = cn</td>
|
|
<td>(StrOpt) LDAP attribute mapped to project id.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>tenant_member_attribute = member</td>
|
|
<td>(StrOpt) LDAP attribute mapped to project membership for user.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>tenant_name_attribute = ou</td>
|
|
<td>(StrOpt) LDAP attribute mapped to project name.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>tenant_objectclass = groupOfNames</td>
|
|
<td>(StrOpt) LDAP objectClass for projects.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>tenant_tree_dn = None</td>
|
|
<td>(StrOpt) Search base for projects</td>
|
|
</tr>
|
|
<tr>
|
|
<td>tls_cacertdir = None</td>
|
|
<td>(StrOpt) CA certificate directory path for communicating with LDAP servers.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>tls_cacertfile = None</td>
|
|
<td>(StrOpt) CA certificate file path for communicating with LDAP servers.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>tls_req_cert = demand</td>
|
|
<td>(StrOpt) valid options for tls_req_cert are demand, never, and allow.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>url = ldap://localhost</td>
|
|
<td>(StrOpt) URL for connecting to the LDAP server.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>use_dumb_member = False</td>
|
|
<td>(BoolOpt) If true, will add a dummy member to groups. This is required if the objectclass for groups requires the "member" attribute.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>use_tls = False</td>
|
|
<td>(BoolOpt) Enable TLS for communicating with LDAP servers.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>user = None</td>
|
|
<td>(StrOpt) User BindDN to query the LDAP server.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>user_additional_attribute_mapping = </td>
|
|
<td>(ListOpt) List of additional LDAP attributes used for mapping Additional attribute mappings for users. Attribute mapping format is <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry and user_attr is the Identity API attribute.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>user_allow_create = True</td>
|
|
<td>(BoolOpt) Allow user creation in LDAP backend.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>user_allow_delete = True</td>
|
|
<td>(BoolOpt) Allow user deletion in LDAP backend.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>user_allow_update = True</td>
|
|
<td>(BoolOpt) Allow user updates in LDAP backend.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>user_attribute_ignore = default_project_id, tenants</td>
|
|
<td>(ListOpt) List of attributes stripped off the user on update.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>user_default_project_id_attribute = None</td>
|
|
<td>(StrOpt) LDAP attribute mapped to default_project_id for users.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>user_enabled_attribute = enabled</td>
|
|
<td>(StrOpt) LDAP attribute mapped to user enabled flag.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>user_enabled_default = True</td>
|
|
<td>(StrOpt) Default value to enable users. This should match an appropriate int value if the LDAP server uses non-boolean (bitmask) values to indicate if a user is enabled or disabled. If this is not set to "True"the typical value is "512". This is typically used when "user_enabled_attribute = userAccountControl".</td>
|
|
</tr>
|
|
<tr>
|
|
<td>user_enabled_emulation = False</td>
|
|
<td>(BoolOpt) If True, Keystone uses an alternative method to determine if a user is enabled or not by checking if they are a member of the "user_enabled_emulation_dn" group.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>user_enabled_emulation_dn = None</td>
|
|
<td>(StrOpt) DN of the group entry to hold enabled users when using enabled emulation.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>user_enabled_mask = 0</td>
|
|
<td>(IntOpt) Bitmask integer to indicate the bit that the enabled value is stored in if the LDAP server represents "enabled" as a bit on an integer rather than a boolean. A value of "0" indicates the mask is not used. If this is not set to "0" the typical value is "2". This is typically used when "user_enabled_attribute = userAccountControl".</td>
|
|
</tr>
|
|
<tr>
|
|
<td>user_filter = None</td>
|
|
<td>(StrOpt) LDAP search filter for users.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>user_id_attribute = cn</td>
|
|
<td>(StrOpt) LDAP attribute mapped to user id.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>user_mail_attribute = email</td>
|
|
<td>(StrOpt) LDAP attribute mapped to user email.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>user_name_attribute = sn</td>
|
|
<td>(StrOpt) LDAP attribute mapped to user name.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>user_objectclass = inetOrgPerson</td>
|
|
<td>(StrOpt) LDAP objectClass for users.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>user_pass_attribute = userPassword</td>
|
|
<td>(StrOpt) LDAP attribute mapped to password.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>user_tree_dn = None</td>
|
|
<td>(StrOpt) Search base for users.</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</para>
|