9.5 KiB
9.5 KiB
| Configuration option = Default value | Description |
|---|---|
| [ldap] | |
alias_dereferencing = default |
(String) The LDAP dereferencing option for queries. The "default" option falls back to using default dereferencing configured by your ldap.conf. |
allow_subtree_delete = False |
(Boolean) Delete subtrees using the subtree delete control. Only enable this option if your LDAP server supports subtree deletion. |
auth_pool_connection_lifetime = 60 |
(Integer) End user auth connection lifetime in seconds. |
auth_pool_size = 100 |
(Integer) End user auth connection pool size. |
chase_referrals = None |
(Boolean) Override the system's default referral chasing behavior for queries. |
debug_level = None |
(Integer) Sets the LDAP debugging level for LDAP calls. A value of 0 means that debugging is not enabled. This value is a bitmask, consult your LDAP documentation for possible values. |
dumb_member = cn=dumb,dc=nonexistent |
(String) DN of the "dummy member" to use when "use_dumb_member" is enabled. |
group_additional_attribute_mapping = |
(List) Additional attribute mappings for groups. Attribute mapping format is <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry and user_attr is the Identity API attribute. |
group_allow_create = True |
(Boolean) DEPRECATED: Allow group creation in LDAP backend. Write support for Identity LDAP backends has been deprecated in the M release and will be removed in the O release. |
group_allow_delete = True |
(Boolean) DEPRECATED: Allow group deletion in LDAP backend. Write support for Identity LDAP backends has been deprecated in the M release and will be removed in the O release. |
group_allow_update = True |
(Boolean) DEPRECATED: Allow group update in LDAP backend. Write support for Identity LDAP backends has been deprecated in the M release and will be removed in the O release. |
group_attribute_ignore = |
(List) List of attributes stripped off the group on update. |
group_desc_attribute = description |
(String) LDAP attribute mapped to group description. |
group_filter = None |
(String) LDAP search filter for groups. |
group_id_attribute = cn |
(String) LDAP attribute mapped to group id. |
group_member_attribute = member |
(String) LDAP attribute mapped to show group membership. |
group_members_are_ids = False |
(Boolean) If the members of the group objectclass are user IDs rather than DNs, set this to true. This is the case when using posixGroup as the group objectclass and OpenDirectory. |
group_name_attribute = ou |
(String) LDAP attribute mapped to group name. |
group_objectclass = groupOfNames |
(String) LDAP objectclass for groups. |
group_tree_dn = None |
(String) Search base for groups. Defaults to the suffix value. |
page_size = 0 |
(Integer) Maximum results per page; a value of zero ("0") disables paging. |
password = None |
(String) Password for the BindDN to query the LDAP server. |
pool_connection_lifetime = 600 |
(Integer) Connection lifetime in seconds. |
pool_connection_timeout = -1 |
(Integer) Connector timeout in seconds. Value -1 indicates indefinite wait for response. |
pool_retry_delay = 0.1 |
(Floating point) Time span in seconds to wait between two reconnect trials. |
pool_retry_max = 3 |
(Integer) Maximum count of reconnect trials. |
pool_size = 10 |
(Integer) Connection pool size. |
query_scope = one |
(String) The LDAP scope for queries, "one" represents oneLevel/singleLevel and "sub" represents subtree/wholeSubtree options. |
suffix = cn=example,cn=com |
(String) LDAP server suffix |
tls_cacertdir = None |
(String) CA certificate directory path for communicating with LDAP servers. |
tls_cacertfile = None |
(String) CA certificate file path for communicating with LDAP servers. |
tls_req_cert = demand |
(String) Specifies what checks to perform on client certificates in an incoming TLS session. |
url = ldap://localhost |
(String) URL(s) for connecting to the LDAP server. Multiple LDAP URLs may be specified as a comma separated string. The first URL to successfully bind is used for the connection. |
use_auth_pool = True |
(Boolean) Enable LDAP connection pooling for end user authentication. If use_pool is disabled, then this setting is meaningless and is not used at all. |
use_dumb_member = False |
(Boolean) If true, will add a dummy member to groups. This is required if the objectclass for groups requires the "member" attribute. |
use_pool = True |
(Boolean) Enable LDAP connection pooling. |
use_tls = False |
(Boolean) Enable TLS for communicating with LDAP servers. |
user = None |
(String) User BindDN to query the LDAP server. |
user_additional_attribute_mapping = |
(List) List of additional LDAP attributes used for mapping additional attribute mappings for users. Attribute mapping format is <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry and user_attr is the Identity API attribute. |
user_allow_create = True |
(Boolean) DEPRECATED: Allow user creation in LDAP backend. Write support for Identity LDAP backends has been deprecated in the M release and will be removed in the O release. |
user_allow_delete = True |
(Boolean) DEPRECATED: Allow user deletion in LDAP backend. Write support for Identity LDAP backends has been deprecated in the M release and will be removed in the O release. |
user_allow_update = True |
(Boolean) DEPRECATED: Allow user updates in LDAP backend. Write support for Identity LDAP backends has been deprecated in the M release and will be removed in the O release. |
user_attribute_ignore =
default_project_id |
(List) List of attributes stripped off the user on update. |
user_default_project_id_attribute =
None |
(String) LDAP attribute mapped to default_project_id for users. |
user_description_attribute =
description |
(String) LDAP attribute mapped to user description. |
user_enabled_attribute = enabled |
(String) LDAP attribute mapped to user enabled flag. |
user_enabled_default = True |
(String) Default value to enable users. This should match an appropriate int value if the LDAP server uses non-boolean (bitmask) values to indicate if a user is enabled or disabled. If this is not set to "True" the typical value is "512". This is typically used when "user_enabled_attribute = userAccountControl". |
user_enabled_emulation = False |
(Boolean) If true, Keystone uses an alternative method to determine if a user is enabled or not by checking if they are a member of the "user_enabled_emulation_dn" group. |
user_enabled_emulation_dn = None |
(String) DN of the group entry to hold enabled users when using enabled emulation. |
user_enabled_emulation_use_group_config =
False |
(Boolean) Use the "group_member_attribute" and "group_objectclass" settings to determine membership in the emulated enabled group. |
user_enabled_invert = False |
(Boolean) Invert the meaning of the boolean enabled values. Some LDAP servers use a boolean lock attribute where "true" means an account is disabled. Setting "user_enabled_invert = true" will allow these lock attributes to be used. This setting will have no effect if "user_enabled_mask" or "user_enabled_emulation" settings are in use. |
user_enabled_mask = 0 |
(Integer) Bitmask integer to indicate the bit that the enabled value is stored in if the LDAP server represents "enabled" as a bit on an integer rather than a boolean. A value of "0" indicates the mask is not used. If this is not set to "0" the typical value is "2". This is typically used when "user_enabled_attribute = userAccountControl". |
user_filter = None |
(String) LDAP search filter for users. |
user_id_attribute = cn |
(String) LDAP attribute mapped to user id. WARNING: must not be a multivalued attribute. |
user_mail_attribute = mail |
(String) LDAP attribute mapped to user email. |
user_name_attribute = sn |
(String) LDAP attribute mapped to user name. |
user_objectclass = inetOrgPerson |
(String) LDAP objectclass for users. |
user_pass_attribute = userPassword |
(String) LDAP attribute mapped to password. |
user_tree_dn = None |
(String) Search base for users. Defaults to the suffix value. |