139 lines
9.5 KiB
ReStructuredText
139 lines
9.5 KiB
ReStructuredText
..
|
|
Warning: Do not edit this file. It is automatically generated from the
|
|
software project's code and your changes will be overwritten.
|
|
|
|
The tool to generate this file lives in openstack-doc-tools repository.
|
|
|
|
Please make any changes needed in the code, then run the
|
|
autogenerate-config-doc tool from the openstack-doc-tools repository, or
|
|
ask for help on the documentation mailing list, IRC channel or meeting.
|
|
|
|
.. _keystone-ldap:
|
|
|
|
.. list-table:: Description of LDAP configuration options
|
|
:header-rows: 1
|
|
:class: config-ref-table
|
|
|
|
* - Configuration option = Default value
|
|
- Description
|
|
* - **[ldap]**
|
|
-
|
|
* - ``alias_dereferencing`` = ``default``
|
|
- (String) The LDAP dereferencing option for queries. The "default" option falls back to using default dereferencing configured by your ldap.conf.
|
|
* - ``allow_subtree_delete`` = ``False``
|
|
- (Boolean) Delete subtrees using the subtree delete control. Only enable this option if your LDAP server supports subtree deletion.
|
|
* - ``auth_pool_connection_lifetime`` = ``60``
|
|
- (Integer) End user auth connection lifetime in seconds.
|
|
* - ``auth_pool_size`` = ``100``
|
|
- (Integer) End user auth connection pool size.
|
|
* - ``chase_referrals`` = ``None``
|
|
- (Boolean) Override the system's default referral chasing behavior for queries.
|
|
* - ``debug_level`` = ``None``
|
|
- (Integer) Sets the LDAP debugging level for LDAP calls. A value of 0 means that debugging is not enabled. This value is a bitmask, consult your LDAP documentation for possible values.
|
|
* - ``dumb_member`` = ``cn=dumb,dc=nonexistent``
|
|
- (String) DN of the "dummy member" to use when "use_dumb_member" is enabled.
|
|
* - ``group_additional_attribute_mapping`` =
|
|
- (List) Additional attribute mappings for groups. Attribute mapping format is <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry and user_attr is the Identity API attribute.
|
|
* - ``group_allow_create`` = ``True``
|
|
- (Boolean) DEPRECATED: Allow group creation in LDAP backend. Write support for Identity LDAP backends has been deprecated in the M release and will be removed in the O release.
|
|
* - ``group_allow_delete`` = ``True``
|
|
- (Boolean) DEPRECATED: Allow group deletion in LDAP backend. Write support for Identity LDAP backends has been deprecated in the M release and will be removed in the O release.
|
|
* - ``group_allow_update`` = ``True``
|
|
- (Boolean) DEPRECATED: Allow group update in LDAP backend. Write support for Identity LDAP backends has been deprecated in the M release and will be removed in the O release.
|
|
* - ``group_attribute_ignore`` =
|
|
- (List) List of attributes stripped off the group on update.
|
|
* - ``group_desc_attribute`` = ``description``
|
|
- (String) LDAP attribute mapped to group description.
|
|
* - ``group_filter`` = ``None``
|
|
- (String) LDAP search filter for groups.
|
|
* - ``group_id_attribute`` = ``cn``
|
|
- (String) LDAP attribute mapped to group id.
|
|
* - ``group_member_attribute`` = ``member``
|
|
- (String) LDAP attribute mapped to show group membership.
|
|
* - ``group_members_are_ids`` = ``False``
|
|
- (Boolean) If the members of the group objectclass are user IDs rather than DNs, set this to true. This is the case when using posixGroup as the group objectclass and OpenDirectory.
|
|
* - ``group_name_attribute`` = ``ou``
|
|
- (String) LDAP attribute mapped to group name.
|
|
* - ``group_objectclass`` = ``groupOfNames``
|
|
- (String) LDAP objectclass for groups.
|
|
* - ``group_tree_dn`` = ``None``
|
|
- (String) Search base for groups. Defaults to the suffix value.
|
|
* - ``page_size`` = ``0``
|
|
- (Integer) Maximum results per page; a value of zero ("0") disables paging.
|
|
* - ``password`` = ``None``
|
|
- (String) Password for the BindDN to query the LDAP server.
|
|
* - ``pool_connection_lifetime`` = ``600``
|
|
- (Integer) Connection lifetime in seconds.
|
|
* - ``pool_connection_timeout`` = ``-1``
|
|
- (Integer) Connector timeout in seconds. Value -1 indicates indefinite wait for response.
|
|
* - ``pool_retry_delay`` = ``0.1``
|
|
- (Floating point) Time span in seconds to wait between two reconnect trials.
|
|
* - ``pool_retry_max`` = ``3``
|
|
- (Integer) Maximum count of reconnect trials.
|
|
* - ``pool_size`` = ``10``
|
|
- (Integer) Connection pool size.
|
|
* - ``query_scope`` = ``one``
|
|
- (String) The LDAP scope for queries, "one" represents oneLevel/singleLevel and "sub" represents subtree/wholeSubtree options.
|
|
* - ``suffix`` = ``cn=example,cn=com``
|
|
- (String) LDAP server suffix
|
|
* - ``tls_cacertdir`` = ``None``
|
|
- (String) CA certificate directory path for communicating with LDAP servers.
|
|
* - ``tls_cacertfile`` = ``None``
|
|
- (String) CA certificate file path for communicating with LDAP servers.
|
|
* - ``tls_req_cert`` = ``demand``
|
|
- (String) Specifies what checks to perform on client certificates in an incoming TLS session.
|
|
* - ``url`` = ``ldap://localhost``
|
|
- (String) URL(s) for connecting to the LDAP server. Multiple LDAP URLs may be specified as a comma separated string. The first URL to successfully bind is used for the connection.
|
|
* - ``use_auth_pool`` = ``True``
|
|
- (Boolean) Enable LDAP connection pooling for end user authentication. If use_pool is disabled, then this setting is meaningless and is not used at all.
|
|
* - ``use_dumb_member`` = ``False``
|
|
- (Boolean) If true, will add a dummy member to groups. This is required if the objectclass for groups requires the "member" attribute.
|
|
* - ``use_pool`` = ``True``
|
|
- (Boolean) Enable LDAP connection pooling.
|
|
* - ``use_tls`` = ``False``
|
|
- (Boolean) Enable TLS for communicating with LDAP servers.
|
|
* - ``user`` = ``None``
|
|
- (String) User BindDN to query the LDAP server.
|
|
* - ``user_additional_attribute_mapping`` =
|
|
- (List) List of additional LDAP attributes used for mapping additional attribute mappings for users. Attribute mapping format is <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry and user_attr is the Identity API attribute.
|
|
* - ``user_allow_create`` = ``True``
|
|
- (Boolean) DEPRECATED: Allow user creation in LDAP backend. Write support for Identity LDAP backends has been deprecated in the M release and will be removed in the O release.
|
|
* - ``user_allow_delete`` = ``True``
|
|
- (Boolean) DEPRECATED: Allow user deletion in LDAP backend. Write support for Identity LDAP backends has been deprecated in the M release and will be removed in the O release.
|
|
* - ``user_allow_update`` = ``True``
|
|
- (Boolean) DEPRECATED: Allow user updates in LDAP backend. Write support for Identity LDAP backends has been deprecated in the M release and will be removed in the O release.
|
|
* - ``user_attribute_ignore`` = ``default_project_id``
|
|
- (List) List of attributes stripped off the user on update.
|
|
* - ``user_default_project_id_attribute`` = ``None``
|
|
- (String) LDAP attribute mapped to default_project_id for users.
|
|
* - ``user_description_attribute`` = ``description``
|
|
- (String) LDAP attribute mapped to user description.
|
|
* - ``user_enabled_attribute`` = ``enabled``
|
|
- (String) LDAP attribute mapped to user enabled flag.
|
|
* - ``user_enabled_default`` = ``True``
|
|
- (String) Default value to enable users. This should match an appropriate int value if the LDAP server uses non-boolean (bitmask) values to indicate if a user is enabled or disabled. If this is not set to "True" the typical value is "512". This is typically used when "user_enabled_attribute = userAccountControl".
|
|
* - ``user_enabled_emulation`` = ``False``
|
|
- (Boolean) If true, Keystone uses an alternative method to determine if a user is enabled or not by checking if they are a member of the "user_enabled_emulation_dn" group.
|
|
* - ``user_enabled_emulation_dn`` = ``None``
|
|
- (String) DN of the group entry to hold enabled users when using enabled emulation.
|
|
* - ``user_enabled_emulation_use_group_config`` = ``False``
|
|
- (Boolean) Use the "group_member_attribute" and "group_objectclass" settings to determine membership in the emulated enabled group.
|
|
* - ``user_enabled_invert`` = ``False``
|
|
- (Boolean) Invert the meaning of the boolean enabled values. Some LDAP servers use a boolean lock attribute where "true" means an account is disabled. Setting "user_enabled_invert = true" will allow these lock attributes to be used. This setting will have no effect if "user_enabled_mask" or "user_enabled_emulation" settings are in use.
|
|
* - ``user_enabled_mask`` = ``0``
|
|
- (Integer) Bitmask integer to indicate the bit that the enabled value is stored in if the LDAP server represents "enabled" as a bit on an integer rather than a boolean. A value of "0" indicates the mask is not used. If this is not set to "0" the typical value is "2". This is typically used when "user_enabled_attribute = userAccountControl".
|
|
* - ``user_filter`` = ``None``
|
|
- (String) LDAP search filter for users.
|
|
* - ``user_id_attribute`` = ``cn``
|
|
- (String) LDAP attribute mapped to user id. WARNING: must not be a multivalued attribute.
|
|
* - ``user_mail_attribute`` = ``mail``
|
|
- (String) LDAP attribute mapped to user email.
|
|
* - ``user_name_attribute`` = ``sn``
|
|
- (String) LDAP attribute mapped to user name.
|
|
* - ``user_objectclass`` = ``inetOrgPerson``
|
|
- (String) LDAP objectclass for users.
|
|
* - ``user_pass_attribute`` = ``userPassword``
|
|
- (String) LDAP attribute mapped to password.
|
|
* - ``user_tree_dn`` = ``None``
|
|
- (String) Search base for users. Defaults to the suffix value.
|