charm-keystone-ldap/src/config.yaml

options:
  domain-name:
    type: string
    default:
    description: Name of the keystone domain to configure; defaults to the deployed application name.
  ldap-server:
    type: string
    default:
    description: |
      LDAP server URL for keystone LDAP identity backend.

      Examples:
      ldap://10.10.10.10/
      ldaps://10.10.10.10/
      ldap://example.com:389,ldaps://ldaps.example.com:636

      Usage of ldap:// urls with tls_ca_ldap option specified or certificates relation
      presence will result in mandatory StartTLS usage.      
  ldap-user:
    type: string
    default:
    description: |
      Username (Distinguished Name) used to bind to LDAP identity server.
      .
      Example: cn=admin,dc=test,dc=com      
  ldap-password:
    type: string
    default:
    description: Password of the LDAP identity server.
  ldap-suffix:
    type: string
    default:
    description: LDAP server suffix to be used by keystone.
  ldap-config-flags:
    type: string
    default:
    description: |
      Additional LDAP configuration options.
      For simple configurations use a comma separated string of key=value pairs.
      "user_allow_create=False, user_allow_update=False, user_allow_delete=False"
      For more complex configurations use a json like string with double quotes
      and braces around all the options and single quotes around complex values.
      "{user_tree_dn: 'DC=dc1,DC=ad,DC=example,DC=com',
        user_allow_create: False,
        user_allow_delete: False}"
      See the README for more details.      
  ldap-readonly:
    type: boolean
    default: True
    description: LDAP identity server backend readonly to keystone.
  tls-ca-ldap:
    type: string
    default: null
    description: |
      This option controls which certificate (or a chain) will be used to connect
      to an ldap server(s) over TLS. Certificate contents should be either used
      directly or included via include-file://
      An LDAP url should also be considered as ldaps and StartTLS are both valid
      methods of using TLS (see RFC 4513) with StartTLS using a non-ldaps url which,
      of course, still requires a CA certificate.