openstack
/
openstack-manuals
Code Issues Proposed changes
openstack-manuals/doc/common/tables/keystone-ldap.xml

355 lines
14 KiB
XML
Raw Blame History

<?xml version='1.0' encoding='UTF-8'?>
<para xmlns="http://docbook.org/ns/docbook" version="5.0">
<!-- Warning: Do not edit this file. It is automatically
generated and your changes will be overwritten.
The tool to do so lives in openstack-doc-tools repository. -->
<table rules="all" xml:id="config_table_keystone_ldap">
<caption>Description of LDAP configuration options</caption>
<col width="50%"/>
<col width="50%"/>
<thead>
<tr>
<th>Configuration option = Default value</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<th colspan="2">[ldap]</th>
</tr>
<tr>
<td>alias_dereferencing = default</td>
<td>(StrOpt) The LDAP dereferencing option for queries. This can be either "never", "searching", "always", "finding" or "default". The "default" option falls back to using default dereferencing configured by your ldap.conf.</td>
</tr>
<tr>
<td>allow_subtree_delete = False</td>
<td>(BoolOpt) Delete subtrees using the subtree delete control. Only enable this option if your LDAP server supports subtree deletion.</td>
</tr>
<tr>
<td>auth_pool_connection_lifetime = 60</td>
<td>(IntOpt) End user auth connection lifetime in seconds.</td>
</tr>
<tr>
<td>auth_pool_size = 100</td>
<td>(IntOpt) End user auth connection pool size.</td>
</tr>
<tr>
<td>chase_referrals = None</td>
<td>(BoolOpt) Override the system's default referral chasing behavior for queries.</td>
</tr>
<tr>
<td>debug_level = None</td>
<td>(IntOpt) Sets the LDAP debugging level for LDAP calls. A value of 0 means that debugging is not enabled. This value is a bitmask, consult your LDAP documentation for possible values.</td>
</tr>
<tr>
<td>dumb_member = cn=dumb,dc=nonexistent</td>
<td>(StrOpt) DN of the "dummy member" to use when "use_dumb_member" is enabled.</td>
</tr>
<tr>
<td>group_additional_attribute_mapping = </td>
<td>(ListOpt) Additional attribute mappings for groups. Attribute mapping format is &lt;ldap_attr&gt;:&lt;user_attr&gt;, where ldap_attr is the attribute in the LDAP entry and user_attr is the Identity API attribute.</td>
</tr>
<tr>
<td>group_allow_create = True</td>
<td>(BoolOpt) Allow group creation in LDAP backend.</td>
</tr>
<tr>
<td>group_allow_delete = True</td>
<td>(BoolOpt) Allow group deletion in LDAP backend.</td>
</tr>
<tr>
<td>group_allow_update = True</td>
<td>(BoolOpt) Allow group update in LDAP backend.</td>
</tr>
<tr>
<td>group_attribute_ignore = </td>
<td>(ListOpt) List of attributes stripped off the group on update.</td>
</tr>
<tr>
<td>group_desc_attribute = description</td>
<td>(StrOpt) LDAP attribute mapped to group description.</td>
</tr>
<tr>
<td>group_filter = None</td>
<td>(StrOpt) LDAP search filter for groups.</td>
</tr>
<tr>
<td>group_id_attribute = cn</td>
<td>(StrOpt) LDAP attribute mapped to group id.</td>
</tr>
<tr>
<td>group_member_attribute = member</td>
<td>(StrOpt) LDAP attribute mapped to show group membership.</td>
</tr>
<tr>
<td>group_name_attribute = ou</td>
<td>(StrOpt) LDAP attribute mapped to group name.</td>
</tr>
<tr>
<td>group_objectclass = groupOfNames</td>
<td>(StrOpt) LDAP objectclass for groups.</td>
</tr>
<tr>
<td>group_tree_dn = None</td>
<td>(StrOpt) Search base for groups.</td>
</tr>
<tr>
<td>page_size = 0</td>
<td>(IntOpt) Maximum results per page; a value of zero ("0") disables paging.</td>
</tr>
<tr>
<td>password = None</td>
<td>(StrOpt) Password for the BindDN to query the LDAP server.</td>
</tr>
<tr>
<td>pool_connection_lifetime = 600</td>
<td>(IntOpt) Connection lifetime in seconds.</td>
</tr>
<tr>
<td>pool_connection_timeout = -1</td>
<td>(IntOpt) Connector timeout in seconds. Value -1 indicates indefinite wait for response.</td>
</tr>
<tr>
<td>pool_retry_delay = 0.1</td>
<td>(FloatOpt) Time span in seconds to wait between two reconnect trials.</td>
</tr>
<tr>
<td>pool_retry_max = 3</td>
<td>(IntOpt) Maximum count of reconnect trials.</td>
</tr>
<tr>
<td>pool_size = 10</td>
<td>(IntOpt) Connection pool size.</td>
</tr>
<tr>
<td>project_additional_attribute_mapping = </td>
<td>(ListOpt) Additional attribute mappings for projects. Attribute mapping format is &lt;ldap_attr&gt;:&lt;user_attr&gt;, where ldap_attr is the attribute in the LDAP entry and user_attr is the Identity API attribute.</td>
</tr>
<tr>
<td>project_allow_create = True</td>
<td>(BoolOpt) Allow project creation in LDAP backend.</td>
</tr>
<tr>
<td>project_allow_delete = True</td>
<td>(BoolOpt) Allow project deletion in LDAP backend.</td>
</tr>
<tr>
<td>project_allow_update = True</td>
<td>(BoolOpt) Allow project update in LDAP backend.</td>
</tr>
<tr>
<td>project_attribute_ignore = </td>
<td>(ListOpt) List of attributes stripped off the project on update.</td>
</tr>
<tr>
<td>project_desc_attribute = description</td>
<td>(StrOpt) LDAP attribute mapped to project description.</td>
</tr>
<tr>
<td>project_domain_id_attribute = businessCategory</td>
<td>(StrOpt) LDAP attribute mapped to project domain_id.</td>
</tr>
<tr>
<td>project_enabled_attribute = enabled</td>
<td>(StrOpt) LDAP attribute mapped to project enabled.</td>
</tr>
<tr>
<td>project_enabled_emulation = False</td>
<td>(BoolOpt) If true, Keystone uses an alternative method to determine if a project is enabled or not by checking if they are a member of the "project_enabled_emulation_dn" group.</td>
</tr>
<tr>
<td>project_enabled_emulation_dn = None</td>
<td>(StrOpt) DN of the group entry to hold enabled projects when using enabled emulation.</td>
</tr>
<tr>
<td>project_filter = None</td>
<td>(StrOpt) LDAP search filter for projects.</td>
</tr>
<tr>
<td>project_id_attribute = cn</td>
<td>(StrOpt) LDAP attribute mapped to project id.</td>
</tr>
<tr>
<td>project_member_attribute = member</td>
<td>(StrOpt) LDAP attribute mapped to project membership for user.</td>
</tr>
<tr>
<td>project_name_attribute = ou</td>
<td>(StrOpt) LDAP attribute mapped to project name.</td>
</tr>
<tr>
<td>project_objectclass = groupOfNames</td>
<td>(StrOpt) LDAP objectclass for projects.</td>
</tr>
<tr>
<td>project_tree_dn = None</td>
<td>(StrOpt) Search base for projects</td>
</tr>
<tr>
<td>query_scope = one</td>
<td>(StrOpt) The LDAP scope for queries, this can be either "one" (onelevel/singleLevel) or "sub" (subtree/wholeSubtree).</td>
</tr>
<tr>
<td>role_additional_attribute_mapping = </td>
<td>(ListOpt) Additional attribute mappings for roles. Attribute mapping format is &lt;ldap_attr&gt;:&lt;user_attr&gt;, where ldap_attr is the attribute in the LDAP entry and user_attr is the Identity API attribute.</td>
</tr>
<tr>
<td>role_allow_create = True</td>
<td>(BoolOpt) Allow role creation in LDAP backend.</td>
</tr>
<tr>
<td>role_allow_delete = True</td>
<td>(BoolOpt) Allow role deletion in LDAP backend.</td>
</tr>
<tr>
<td>role_allow_update = True</td>
<td>(BoolOpt) Allow role update in LDAP backend.</td>
</tr>
<tr>
<td>role_attribute_ignore = </td>
<td>(ListOpt) List of attributes stripped off the role on update.</td>
</tr>
<tr>
<td>role_filter = None</td>
<td>(StrOpt) LDAP search filter for roles.</td>
</tr>
<tr>
<td>role_id_attribute = cn</td>
<td>(StrOpt) LDAP attribute mapped to role id.</td>
</tr>
<tr>
<td>role_member_attribute = roleOccupant</td>
<td>(StrOpt) LDAP attribute mapped to role membership.</td>
</tr>
<tr>
<td>role_name_attribute = ou</td>
<td>(StrOpt) LDAP attribute mapped to role name.</td>
</tr>
<tr>
<td>role_objectclass = organizationalRole</td>
<td>(StrOpt) LDAP objectclass for roles.</td>
</tr>
<tr>
<td>role_tree_dn = None</td>
<td>(StrOpt) Search base for roles.</td>
</tr>
<tr>
<td>suffix = cn=example,cn=com</td>
<td>(StrOpt) LDAP server suffix</td>
</tr>
<tr>
<td>tls_cacertdir = None</td>
<td>(StrOpt) CA certificate directory path for communicating with LDAP servers.</td>
</tr>
<tr>
<td>tls_cacertfile = None</td>
<td>(StrOpt) CA certificate file path for communicating with LDAP servers.</td>
</tr>
<tr>
<td>tls_req_cert = demand</td>
<td>(StrOpt) Valid options for tls_req_cert are demand, never, and allow.</td>
</tr>
<tr>
<td>url = ldap://localhost</td>
<td>(StrOpt) URL for connecting to the LDAP server.</td>
</tr>
<tr>
<td>use_auth_pool = False</td>
<td>(BoolOpt) Enable LDAP connection pooling for end user authentication. If use_pool is disabled, then this setting is meaningless and is not used at all.</td>
</tr>
<tr>
<td>use_dumb_member = False</td>
<td>(BoolOpt) If true, will add a dummy member to groups. This is required if the objectclass for groups requires the "member" attribute.</td>
</tr>
<tr>
<td>use_pool = False</td>
<td>(BoolOpt) Enable LDAP connection pooling.</td>
</tr>
<tr>
<td>use_tls = False</td>
<td>(BoolOpt) Enable TLS for communicating with LDAP servers.</td>
</tr>
<tr>
<td>user = None</td>
<td>(StrOpt) User BindDN to query the LDAP server.</td>
</tr>
<tr>
<td>user_additional_attribute_mapping = </td>
<td>(ListOpt) List of additional LDAP attributes used for mapping additional attribute mappings for users. Attribute mapping format is &lt;ldap_attr&gt;:&lt;user_attr&gt;, where ldap_attr is the attribute in the LDAP entry and user_attr is the Identity API attribute.</td>
</tr>
<tr>
<td>user_allow_create = True</td>
<td>(BoolOpt) Allow user creation in LDAP backend.</td>
</tr>
<tr>
<td>user_allow_delete = True</td>
<td>(BoolOpt) Allow user deletion in LDAP backend.</td>
</tr>
<tr>
<td>user_allow_update = True</td>
<td>(BoolOpt) Allow user updates in LDAP backend.</td>
</tr>
<tr>
<td>user_attribute_ignore = default_project_id, tenants</td>
<td>(ListOpt) List of attributes stripped off the user on update.</td>
</tr>
<tr>
<td>user_default_project_id_attribute = None</td>
<td>(StrOpt) LDAP attribute mapped to default_project_id for users.</td>
</tr>
<tr>
<td>user_enabled_attribute = enabled</td>
<td>(StrOpt) LDAP attribute mapped to user enabled flag.</td>
</tr>
<tr>
<td>user_enabled_default = True</td>
<td>(StrOpt) Default value to enable users. This should match an appropriate int value if the LDAP server uses non-boolean (bitmask) values to indicate if a user is enabled or disabled. If this is not set to "True" the typical value is "512". This is typically used when "user_enabled_attribute = userAccountControl".</td>
</tr>
<tr>
<td>user_enabled_emulation = False</td>
<td>(BoolOpt) If true, Keystone uses an alternative method to determine if a user is enabled or not by checking if they are a member of the "user_enabled_emulation_dn" group.</td>
</tr>
<tr>
<td>user_enabled_emulation_dn = None</td>
<td>(StrOpt) DN of the group entry to hold enabled users when using enabled emulation.</td>
</tr>
<tr>
<td>user_enabled_invert = False</td>
<td>(BoolOpt) Invert the meaning of the boolean enabled values. Some LDAP servers use a boolean lock attribute where "true" means an account is disabled. Setting "user_enabled_invert = true" will allow these lock attributes to be used. This setting will have no effect if "user_enabled_mask" or "user_enabled_emulation" settings are in use.</td>
</tr>
<tr>
<td>user_enabled_mask = 0</td>
<td>(IntOpt) Bitmask integer to indicate the bit that the enabled value is stored in if the LDAP server represents "enabled" as a bit on an integer rather than a boolean. A value of "0" indicates the mask is not used. If this is not set to "0" the typical value is "2". This is typically used when "user_enabled_attribute = userAccountControl".</td>
</tr>
<tr>
<td>user_filter = None</td>
<td>(StrOpt) LDAP search filter for users.</td>
</tr>
<tr>
<td>user_id_attribute = cn</td>
<td>(StrOpt) LDAP attribute mapped to user id. WARNING: must not be a multivalued attribute.</td>
</tr>
<tr>
<td>user_mail_attribute = mail</td>
<td>(StrOpt) LDAP attribute mapped to user email.</td>
</tr>
<tr>
<td>user_name_attribute = sn</td>
<td>(StrOpt) LDAP attribute mapped to user name.</td>
</tr>
<tr>
<td>user_objectclass = inetOrgPerson</td>
<td>(StrOpt) LDAP objectclass for users.</td>
</tr>
<tr>
<td>user_pass_attribute = userPassword</td>
<td>(StrOpt) LDAP attribute mapped to password.</td>
</tr>
<tr>
<td>user_tree_dn = None</td>
<td>(StrOpt) Search base for users.</td>
</tr>
</tbody>
</table>
</para>
View Git Blame Copy Permalink