openstack/openstack-manuals
Code Issues Proposed changes
7ee47f21be
openstack-manuals/doc/admin-guide-cloud/identity/section_keystone-token-binding.xml
Christian Berendt d99744c3df Unified the syntax of the XML root element (admin-guide-cloud) 
The XML root element of Docbook XML files should match the following
format:

<ELEMENT xmlns="http://docbook.org/ns/docbook"
  xmlns:xi="http://www.w3.org/2001/XInclude"
  xmlns:xlink="http://www.w3.org/1999/xlink"
  version="5.0"
  xml:id="THE_XML_ID_OF_THE_ELEMENT">

Change-Id: I95a6f36d6887af952257a800e3359d53ac1f895a
2014-07-09 19:43:01 +02:00

64 lines
2.6 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink"
version="5.0"
xml:id="keystone-token-binding">
<title>Configure Identity service for token binding</title>
<para>Token binding embeds information from an external
authentication mechanism, such as a Kerberos server or X.509 certificate,
inside a token. By using token binding, a client can enforce the use of a
specified external authentication mechanism with the token. This
additional security mechanism ensures that if a token is stolen,
for example, it is not usable without external
authentication.</para>
<para>You configure the authentication types for a token binding in
the <filename>keystone.conf</filename> file:</para>
<programlisting language="ini">[token]
bind = kerberos</programlisting>
<para>or</para>
<programlisting language="ini">[token]
bind = x509</programlisting>
<para>Currently <literal>kerberos</literal> and <literal>x509</literal>
are supported.</para>
<para>To enforce checking of token binding, set the
<option>enforce_token_bind</option> option to one of these
modes:</para>
<itemizedlist>
<listitem>
<para><literal>disabled</literal></para>
<para>Disables token bind checking.</para>
</listitem>
<listitem>
<para><literal>permissive</literal></para>
<para>Enables bind checking. If a token is bound to an unknown
authentication mechanism, the server ignores it. The default
is this mode.</para>
</listitem>
<listitem>
<para><literal>strict</literal></para>
<para>Enables bind checking. If a token is bound to an unknown
authentication mechanism, the server rejects it.</para>
</listitem>
<listitem>
<para><literal>required</literal></para>
<para>Enables bind checking. Requires use of at least
authentication mechanism for tokens.</para>
</listitem>
<listitem>
<para><literal>kerberos</literal></para>
<para>Enables bind checking. Requires use of kerberos as the
authentication mechanism for tokens:</para>
<programlisting language="ini">[token]
enforce_token_bind = kerberos</programlisting>
</listitem>
<listitem>
<para><literal>x509</literal></para>
<para>Enables bind checking. Requires use of X.509 as the
authentication mechanism for tokens:</para>
<programlisting language="ini">[token]
enforce_token_bind = x509</programlisting>
</listitem>
</itemizedlist>
</section>
View Git Blame Copy Permalink