61 lines
2.1 KiB
YAML
61 lines
2.1 KiB
YAML
options:
|
|
domain-name:
|
|
type: string
|
|
default:
|
|
description: Name of the keystone domain to configure; defaults to the deployed application name.
|
|
ldap-server:
|
|
type: string
|
|
default:
|
|
description: |
|
|
LDAP server URL for keystone LDAP identity backend.
|
|
|
|
Examples:
|
|
ldap://10.10.10.10/
|
|
ldaps://10.10.10.10/
|
|
ldap://example.com:389,ldaps://ldaps.example.com:636
|
|
|
|
Usage of ldap:// urls with tls_ca_ldap option specified or certificates relation
|
|
presence will result in mandatory StartTLS usage.
|
|
ldap-user:
|
|
type: string
|
|
default:
|
|
description: |
|
|
Username (Distinguished Name) used to bind to LDAP identity server.
|
|
.
|
|
Example: cn=admin,dc=test,dc=com
|
|
ldap-password:
|
|
type: string
|
|
default:
|
|
description: Password of the LDAP identity server.
|
|
ldap-suffix:
|
|
type: string
|
|
default:
|
|
description: LDAP server suffix to be used by keystone.
|
|
ldap-config-flags:
|
|
type: string
|
|
default:
|
|
description: |
|
|
Additional LDAP configuration options.
|
|
For simple configurations use a comma separated string of key=value pairs.
|
|
"user_allow_create=False, user_allow_update=False, user_allow_delete=False"
|
|
For more complex configurations use a json like string with double quotes
|
|
and braces around all the options and single quotes around complex values.
|
|
"{user_tree_dn: 'DC=dc1,DC=ad,DC=example,DC=com',
|
|
user_allow_create: False,
|
|
user_allow_delete: False}"
|
|
See the README for more details.
|
|
ldap-readonly:
|
|
type: boolean
|
|
default: True
|
|
description: LDAP identity server backend readonly to keystone.
|
|
tls-ca-ldap:
|
|
type: string
|
|
default: null
|
|
description: |
|
|
This option controls which certificate (or a chain) will be used to connect
|
|
to an ldap server(s) over TLS. Certificate contents should be either used
|
|
directly or included via include-file://
|
|
An LDAP url should also be considered as ldaps and StartTLS are both valid
|
|
methods of using TLS (see RFC 4513) with StartTLS using a non-ldaps url which,
|
|
of course, still requires a CA certificate.
|