# icehouse
###############################################################################
# [ WARNING ]
# Configuration file maintained by Juju. Local changes may be overwritten.
###############################################################################
[DEFAULT]
admin_token = {{ token }}
admin_port = {{ admin_port }}
public_port = {{ public_port }}
use_syslog = {{ use_syslog }}
log_config = /etc/keystone/logging.conf
debug = {{ debug }}
verbose = {{ verbose }}
public_endpoint = {{ public_endpoint }}
admin_endpoint = {{ admin_endpoint }}
bind_host = {{ bind_host }}
public_workers = {{ workers }}
admin_workers = {{ workers }}

[database]
{% if database_host -%}
connection = {{ database_type }}://{{ database_user }}:{{ database_password }}@{{ database_host }}/{{ database }}{% if database_ssl_ca %}?ssl_ca={{ database_ssl_ca }}{% if database_ssl_cert %}&ssl_cert={{ database_ssl_cert }}&ssl_key={{ database_ssl_key }}{% endif %}{% endif %}
{% else -%}
connection = sqlite:////var/lib/keystone/keystone.db
{% endif -%}
idle_timeout = 200

[identity]
driver = keystone.identity.backends.{{ identity_backend }}.Identity

[credential]
driver = keystone.credential.backends.sql.Credential

[trust]
driver = keystone.trust.backends.sql.Trust

[os_inherit]

[catalog]
driver = keystone.catalog.backends.sql.Catalog

[endpoint_filter]

[token]
driver = keystone.token.backends.sql.Token
provider = keystone.token.providers.uuid.Provider
expiration = {{ token_expiration }}

{% include "parts/section-signing" %}

[cache]

[policy]
driver = keystone.policy.backends.sql.Policy

[ec2]
driver = keystone.contrib.ec2.backends.sql.Ec2

[assignment]
driver = keystone.assignment.backends.{{ assignment_backend }}.Assignment

[oauth1]

[auth]
methods = external,password,token,oauth1
password = keystone.auth.plugins.password.Password
token = keystone.auth.plugins.token.Token
oauth1 = keystone.auth.plugins.oauth1.OAuth

[paste_deploy]
config_file = keystone-paste.ini

[extra_headers]
Distribution = Ubuntu

[ldap]
{% if identity_backend == 'ldap' -%}
url = {{ ldap_server }}
user = {{ ldap_user }}
password = {{ ldap_password }}
suffix = {{ ldap_suffix }}

{% if ldap_config_flags -%}
{% for key, value in ldap_config_flags.items() -%}
{{ key }} = {{ value }}
{% endfor -%}
{% endif -%}

{% if ldap_readonly -%}
user_allow_create = False
user_allow_update = False
user_allow_delete = False

tenant_allow_create = False
tenant_allow_update = False
tenant_allow_delete = False

role_allow_create = False
role_allow_update = False
role_allow_delete = False

group_allow_create = False
group_allow_update = False
group_allow_delete = False
{% endif -%}
{% endif -%}