e7cbc675ce
Change-Id: I959cc6884633ada1deb55f44ca1fc6f230bdebd9
373 lines
18 KiB
XML
373 lines
18 KiB
XML
<?xml version='1.0' encoding='UTF-8'?>
|
|
<para xmlns="http://docbook.org/ns/docbook" version="5.0">
|
|
<!--
|
|
###################################################################
|
|
WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
|
|
###################################################################
|
|
|
|
Warning: Do not edit this file. It is automatically
|
|
generated from the software project's code and your changes
|
|
will be overwritten.
|
|
|
|
The tool to generate this file lives in openstack-doc-tools
|
|
repository.
|
|
|
|
Please make any changes needed in the code, then run the
|
|
autogenerate-config-doc tool from the openstack-doc-tools
|
|
repository, or ask for help on the documentation mailing list,
|
|
IRC channel or meeting.
|
|
|
|
###################################################################
|
|
WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
|
|
###################################################################
|
|
-->
|
|
<table rules="all" xml:id="config_table_keystone_ldap">
|
|
<caption>Description of LDAP configuration options</caption>
|
|
<col width="50%"/>
|
|
<col width="50%"/>
|
|
<thead>
|
|
<tr>
|
|
<th>Configuration option = Default value</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<th colspan="2">[ldap]</th>
|
|
</tr>
|
|
<tr>
|
|
<td><option>alias_dereferencing</option> = <replaceable>default</replaceable></td>
|
|
<td>(StrOpt) The LDAP dereferencing option for queries. The "default" option falls back to using default dereferencing configured by your ldap.conf.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>allow_subtree_delete</option> = <replaceable>False</replaceable></td>
|
|
<td>(BoolOpt) Delete subtrees using the subtree delete control. Only enable this option if your LDAP server supports subtree deletion.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>auth_pool_connection_lifetime</option> = <replaceable>60</replaceable></td>
|
|
<td>(IntOpt) End user auth connection lifetime in seconds.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>auth_pool_size</option> = <replaceable>100</replaceable></td>
|
|
<td>(IntOpt) End user auth connection pool size.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>chase_referrals</option> = <replaceable>None</replaceable></td>
|
|
<td>(BoolOpt) Override the system's default referral chasing behavior for queries.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>debug_level</option> = <replaceable>None</replaceable></td>
|
|
<td>(IntOpt) Sets the LDAP debugging level for LDAP calls. A value of 0 means that debugging is not enabled. This value is a bitmask, consult your LDAP documentation for possible values.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>dumb_member</option> = <replaceable>cn=dumb,dc=nonexistent</replaceable></td>
|
|
<td>(StrOpt) DN of the "dummy member" to use when "use_dumb_member" is enabled.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>group_additional_attribute_mapping</option> = <replaceable></replaceable></td>
|
|
<td>(ListOpt) Additional attribute mappings for groups. Attribute mapping format is <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry and user_attr is the Identity API attribute.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>group_allow_create</option> = <replaceable>True</replaceable></td>
|
|
<td>(BoolOpt) Allow group creation in LDAP backend.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>group_allow_delete</option> = <replaceable>True</replaceable></td>
|
|
<td>(BoolOpt) Allow group deletion in LDAP backend.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>group_allow_update</option> = <replaceable>True</replaceable></td>
|
|
<td>(BoolOpt) Allow group update in LDAP backend.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>group_attribute_ignore</option> = <replaceable></replaceable></td>
|
|
<td>(ListOpt) List of attributes stripped off the group on update.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>group_desc_attribute</option> = <replaceable>description</replaceable></td>
|
|
<td>(StrOpt) LDAP attribute mapped to group description.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>group_filter</option> = <replaceable>None</replaceable></td>
|
|
<td>(StrOpt) LDAP search filter for groups.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>group_id_attribute</option> = <replaceable>cn</replaceable></td>
|
|
<td>(StrOpt) LDAP attribute mapped to group id.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>group_member_attribute</option> = <replaceable>member</replaceable></td>
|
|
<td>(StrOpt) LDAP attribute mapped to show group membership.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>group_name_attribute</option> = <replaceable>ou</replaceable></td>
|
|
<td>(StrOpt) LDAP attribute mapped to group name.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>group_objectclass</option> = <replaceable>groupOfNames</replaceable></td>
|
|
<td>(StrOpt) LDAP objectclass for groups.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>group_tree_dn</option> = <replaceable>None</replaceable></td>
|
|
<td>(StrOpt) Search base for groups. Defaults to the suffix value.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>page_size</option> = <replaceable>0</replaceable></td>
|
|
<td>(IntOpt) Maximum results per page; a value of zero ("0") disables paging.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>password</option> = <replaceable>None</replaceable></td>
|
|
<td>(StrOpt) Password for the BindDN to query the LDAP server.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>pool_connection_lifetime</option> = <replaceable>600</replaceable></td>
|
|
<td>(IntOpt) Connection lifetime in seconds.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>pool_connection_timeout</option> = <replaceable>-1</replaceable></td>
|
|
<td>(IntOpt) Connector timeout in seconds. Value -1 indicates indefinite wait for response.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>pool_retry_delay</option> = <replaceable>0.1</replaceable></td>
|
|
<td>(FloatOpt) Time span in seconds to wait between two reconnect trials.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>pool_retry_max</option> = <replaceable>3</replaceable></td>
|
|
<td>(IntOpt) Maximum count of reconnect trials.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>pool_size</option> = <replaceable>10</replaceable></td>
|
|
<td>(IntOpt) Connection pool size.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>project_additional_attribute_mapping</option> = <replaceable></replaceable></td>
|
|
<td>(ListOpt) Additional attribute mappings for projects. Attribute mapping format is <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry and user_attr is the Identity API attribute.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>project_allow_create</option> = <replaceable>True</replaceable></td>
|
|
<td>(BoolOpt) Allow project creation in LDAP backend.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>project_allow_delete</option> = <replaceable>True</replaceable></td>
|
|
<td>(BoolOpt) Allow project deletion in LDAP backend.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>project_allow_update</option> = <replaceable>True</replaceable></td>
|
|
<td>(BoolOpt) Allow project update in LDAP backend.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>project_attribute_ignore</option> = <replaceable></replaceable></td>
|
|
<td>(ListOpt) List of attributes stripped off the project on update.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>project_desc_attribute</option> = <replaceable>description</replaceable></td>
|
|
<td>(StrOpt) LDAP attribute mapped to project description.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>project_domain_id_attribute</option> = <replaceable>businessCategory</replaceable></td>
|
|
<td>(StrOpt) LDAP attribute mapped to project domain_id.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>project_enabled_attribute</option> = <replaceable>enabled</replaceable></td>
|
|
<td>(StrOpt) LDAP attribute mapped to project enabled.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>project_enabled_emulation</option> = <replaceable>False</replaceable></td>
|
|
<td>(BoolOpt) If true, Keystone uses an alternative method to determine if a project is enabled or not by checking if they are a member of the "project_enabled_emulation_dn" group.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>project_enabled_emulation_dn</option> = <replaceable>None</replaceable></td>
|
|
<td>(StrOpt) DN of the group entry to hold enabled projects when using enabled emulation.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>project_filter</option> = <replaceable>None</replaceable></td>
|
|
<td>(StrOpt) LDAP search filter for projects.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>project_id_attribute</option> = <replaceable>cn</replaceable></td>
|
|
<td>(StrOpt) LDAP attribute mapped to project id.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>project_member_attribute</option> = <replaceable>member</replaceable></td>
|
|
<td>(StrOpt) LDAP attribute mapped to project membership for user.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>project_name_attribute</option> = <replaceable>ou</replaceable></td>
|
|
<td>(StrOpt) LDAP attribute mapped to project name.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>project_objectclass</option> = <replaceable>groupOfNames</replaceable></td>
|
|
<td>(StrOpt) LDAP objectclass for projects.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>project_tree_dn</option> = <replaceable>None</replaceable></td>
|
|
<td>(StrOpt) Search base for projects. Defaults to the suffix value.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>query_scope</option> = <replaceable>one</replaceable></td>
|
|
<td>(StrOpt) The LDAP scope for queries, "one" represents oneLevel/singleLevel and "sub" represents subtree/wholeSubtree options.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>role_additional_attribute_mapping</option> = <replaceable></replaceable></td>
|
|
<td>(ListOpt) Additional attribute mappings for roles. Attribute mapping format is <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry and user_attr is the Identity API attribute.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>role_allow_create</option> = <replaceable>True</replaceable></td>
|
|
<td>(BoolOpt) Allow role creation in LDAP backend.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>role_allow_delete</option> = <replaceable>True</replaceable></td>
|
|
<td>(BoolOpt) Allow role deletion in LDAP backend.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>role_allow_update</option> = <replaceable>True</replaceable></td>
|
|
<td>(BoolOpt) Allow role update in LDAP backend.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>role_attribute_ignore</option> = <replaceable></replaceable></td>
|
|
<td>(ListOpt) List of attributes stripped off the role on update.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>role_filter</option> = <replaceable>None</replaceable></td>
|
|
<td>(StrOpt) LDAP search filter for roles.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>role_id_attribute</option> = <replaceable>cn</replaceable></td>
|
|
<td>(StrOpt) LDAP attribute mapped to role id.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>role_member_attribute</option> = <replaceable>roleOccupant</replaceable></td>
|
|
<td>(StrOpt) LDAP attribute mapped to role membership.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>role_name_attribute</option> = <replaceable>ou</replaceable></td>
|
|
<td>(StrOpt) LDAP attribute mapped to role name.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>role_objectclass</option> = <replaceable>organizationalRole</replaceable></td>
|
|
<td>(StrOpt) LDAP objectclass for roles.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>role_tree_dn</option> = <replaceable>None</replaceable></td>
|
|
<td>(StrOpt) Search base for roles. Defaults to the suffix value.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>suffix</option> = <replaceable>cn=example,cn=com</replaceable></td>
|
|
<td>(StrOpt) LDAP server suffix</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>tls_cacertdir</option> = <replaceable>None</replaceable></td>
|
|
<td>(StrOpt) CA certificate directory path for communicating with LDAP servers.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>tls_cacertfile</option> = <replaceable>None</replaceable></td>
|
|
<td>(StrOpt) CA certificate file path for communicating with LDAP servers.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>tls_req_cert</option> = <replaceable>demand</replaceable></td>
|
|
<td>(StrOpt) Specifies what checks to perform on client certificates in an incoming TLS session.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>url</option> = <replaceable>ldap://localhost</replaceable></td>
|
|
<td>(StrOpt) URL for connecting to the LDAP server.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>use_auth_pool</option> = <replaceable>False</replaceable></td>
|
|
<td>(BoolOpt) Enable LDAP connection pooling for end user authentication. If use_pool is disabled, then this setting is meaningless and is not used at all.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>use_dumb_member</option> = <replaceable>False</replaceable></td>
|
|
<td>(BoolOpt) If true, will add a dummy member to groups. This is required if the objectclass for groups requires the "member" attribute.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>use_pool</option> = <replaceable>False</replaceable></td>
|
|
<td>(BoolOpt) Enable LDAP connection pooling.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>use_tls</option> = <replaceable>False</replaceable></td>
|
|
<td>(BoolOpt) Enable TLS for communicating with LDAP servers.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>user</option> = <replaceable>None</replaceable></td>
|
|
<td>(StrOpt) User BindDN to query the LDAP server.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>user_additional_attribute_mapping</option> = <replaceable></replaceable></td>
|
|
<td>(ListOpt) List of additional LDAP attributes used for mapping additional attribute mappings for users. Attribute mapping format is <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry and user_attr is the Identity API attribute.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>user_allow_create</option> = <replaceable>True</replaceable></td>
|
|
<td>(BoolOpt) Allow user creation in LDAP backend.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>user_allow_delete</option> = <replaceable>True</replaceable></td>
|
|
<td>(BoolOpt) Allow user deletion in LDAP backend.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>user_allow_update</option> = <replaceable>True</replaceable></td>
|
|
<td>(BoolOpt) Allow user updates in LDAP backend.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>user_attribute_ignore</option> = <replaceable>default_project_id</replaceable></td>
|
|
<td>(ListOpt) List of attributes stripped off the user on update.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>user_default_project_id_attribute</option> = <replaceable>None</replaceable></td>
|
|
<td>(StrOpt) LDAP attribute mapped to default_project_id for users.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>user_enabled_attribute</option> = <replaceable>enabled</replaceable></td>
|
|
<td>(StrOpt) LDAP attribute mapped to user enabled flag.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>user_enabled_default</option> = <replaceable>True</replaceable></td>
|
|
<td>(StrOpt) Default value to enable users. This should match an appropriate int value if the LDAP server uses non-boolean (bitmask) values to indicate if a user is enabled or disabled. If this is not set to "True" the typical value is "512". This is typically used when "user_enabled_attribute = userAccountControl".</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>user_enabled_emulation</option> = <replaceable>False</replaceable></td>
|
|
<td>(BoolOpt) If true, Keystone uses an alternative method to determine if a user is enabled or not by checking if they are a member of the "user_enabled_emulation_dn" group.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>user_enabled_emulation_dn</option> = <replaceable>None</replaceable></td>
|
|
<td>(StrOpt) DN of the group entry to hold enabled users when using enabled emulation.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>user_enabled_invert</option> = <replaceable>False</replaceable></td>
|
|
<td>(BoolOpt) Invert the meaning of the boolean enabled values. Some LDAP servers use a boolean lock attribute where "true" means an account is disabled. Setting "user_enabled_invert = true" will allow these lock attributes to be used. This setting will have no effect if "user_enabled_mask" or "user_enabled_emulation" settings are in use.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>user_enabled_mask</option> = <replaceable>0</replaceable></td>
|
|
<td>(IntOpt) Bitmask integer to indicate the bit that the enabled value is stored in if the LDAP server represents "enabled" as a bit on an integer rather than a boolean. A value of "0" indicates the mask is not used. If this is not set to "0" the typical value is "2". This is typically used when "user_enabled_attribute = userAccountControl".</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>user_filter</option> = <replaceable>None</replaceable></td>
|
|
<td>(StrOpt) LDAP search filter for users.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>user_id_attribute</option> = <replaceable>cn</replaceable></td>
|
|
<td>(StrOpt) LDAP attribute mapped to user id. WARNING: must not be a multivalued attribute.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>user_mail_attribute</option> = <replaceable>mail</replaceable></td>
|
|
<td>(StrOpt) LDAP attribute mapped to user email.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>user_name_attribute</option> = <replaceable>sn</replaceable></td>
|
|
<td>(StrOpt) LDAP attribute mapped to user name.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>user_objectclass</option> = <replaceable>inetOrgPerson</replaceable></td>
|
|
<td>(StrOpt) LDAP objectclass for users.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>user_pass_attribute</option> = <replaceable>userPassword</replaceable></td>
|
|
<td>(StrOpt) LDAP attribute mapped to password.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>user_tree_dn</option> = <replaceable>None</replaceable></td>
|
|
<td>(StrOpt) Search base for users. Defaults to the suffix value.</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</para>
|