本文全面解读Icehouse发行版keystone的配置文件keystone.conf,由于从keystone提供的服务或依赖的基础设施角度入手,因此[DEFAULT]部分可能被拆分到很多子块中。
|
关于API的配置 |
|
|
[DEFAULT] |
|
| admin_bind_host = 0.0.0.0 |
(StrOpt)admin服务监听的IP地址 |
| admin_endpoint = None |
(StrOpt)广播给其他服务的keystone管理终端URL |
| admin_port = 35357 |
(IntOpt)admin服务监听的端口 |
| admin_token = ADMIN |
(StrOpt) 管理员令牌,建议在生产模式中禁用(如在keystone-paste.ini文件中删除AdminTokenAuthMiddleware) |
|
compute_port = 8774 |
(IntOpt)计算服务监听的端口 |
|
domain_id_immutable = True |
(BoolOpt)是否可以通过修改domain_id来在域间移动用户,组和工程 |
|
list_limit = None |
(IntOpt)限制响应返回的最大容量 |
|
max_param_size = 64 |
(IntOpt)用户/租户的ID或名称的最大长度 |
|
max_request_body_size= 114688 |
(IntOpt)最大请求限制,由可选的尺寸限制中间件来实现,如keystone.middleware:RequestBodySizeLimiter |
|
max_token_size = 8192 |
(IntOpt)专门针对令牌的长度限制 |
|
member_role_id |
(StrOpt) |
|
member_role_name=_member_ |
|
|
public_bind_host=0.0.0.0 |
(StrOpt)公共服务监听的IP地址 |
|
public_endpoint=None |
(StrOpt)广播给其他服务的keystone公共终端URL |
| public_port = 5000 |
(IntOpt)公共服务监听的端口 |
|
tcp_keepalive = False |
(BoolOpt)能够控制服务器端socket中TCP_KEEPALIVE是否启用的开关 |
|
tcp_keepidle = 600 |
(IntOpt)在上一个选项是True的情况下,为每一个服务器socket设定TCP_KEEPIDLE的值 |
|
[endpoint_filter] |
|
|
driver = keystone.contrib.endpoint_filter.backends.sql.EndpointFilter |
(StrOpt)终端过滤的后端驱动程序 |
|
return_all_endpoints_if_no_filter = True |
(BoolOpt)是否决定如果没有过滤器存在,就返回所有活动的终端 |
|
[paste_deploy] |
|
|
config_file = keystone-paste.ini |
(StrOpt)paste配置文件的名称 |
|
关于调试的配置 |
|
|
[DEFAULT] |
|
|
backdoor_port = None |
(StrOpt)Enable eventlet backdoor. Acceptable values are 0, <port>, and <start>:<end>, where 0 results in listening on a random tcp port number; <port> results in listening on the specified port number (and not enabling backdoor if that port is in use); and <start>:<end> results in listening on the smallest unused port number within the specified range of port numbers. The chosen port is displayed in theservice's log file. |
|
debug = False |
(BoolOpt)打印调试输出,将日志等级设置为DEBUG而不是默认的WARNING等级 |
|
disable_process_locking = False |
(BoolOpt)是否禁用进程间锁 |
|
fatal_deprecation = False |
(BoolOpt)Make deprecations fatal |
|
publish_errors = False |
(BoolOpt)公布error events |
|
pydev_debug_host = None |
(StrOpt)连接远程调试器的主机 |
|
pydev_debug_port = None |
(IntOpt)连接远程调试器的端口 |
|
standard_threads = False |
(BoolOpt)不要猴子补丁线程系统的模块 |
|
[audit] |
|
|
namespace = openstack |
(StrOpt)生成的ID的命名空间前缀 |
|
关于EC2的配置 |
|
|
[DEFAULT] |
|
|
keystone_ec2_cafile = None |
(StrOpt)用来验证HTTPS连接的PEM编码的CA,默认为系统CAs |
|
keystone_ec2_certfile = None |
(StrOpt)客户端证书密钥文件,如果EC2服务器要求验证客户端证书的话则本文件就是必须的 |
|
keystone_ec2_insecure = False |
(BoolOpt)是否禁用SSL证书验证,False是启用,True是禁用(即不安全的) |
|
keystone_ec2_keyfile = None |
(StrOpt)如果EC2服务器要求验证客户端证书的话,该文件是必须的 |
|
keystone_ec2_url = http://localhost:5000/v2.0/ec2tokens |
(StrOpt)从EC2请求中获取token的URL |
|
[ec2] |
|
|
driver = keystone.contrib.ec2.backends.kvs.Ec2 |
(StrOpt)keystone EC2Credential 后端驱动 |
|
关于misc的配置 |
|
|
[DEFAULT] |
|
|
lock_path = None |
(StrOpt)锁文件存放的目录 |
|
关于通告(notification)的配置 |
|
|
[DEFAULT] |
|
|
onready = None |
(StrOpt)当一个进程就绪时,本选项允许其发送一条通知,比如采取systemd通知的话,可以在等号后设置shell “systemd-notify --ready”或者一个拥有notify()方法的模块,如:keystone.common.systemd |
|
关于策略(Policy)的配置 |
|
|
[DEFAULT] |
|
|
policy_default_rule = default |
(StrOpt)请求的规则不存在时执行的规则 |
|
policy_file = policy.json |
(StrOpt)包含访问控制策略的JSON文件 |
|
[policy] |
|
|
driver = keystone.policy.backends.sql.Policy |
(StrOpt)keystone策略后端驱动 |
|
list_limit = None |
(IntOpt)返回策略集的容量上限 |
|
关于密码安全性的配置 |
|
|
[DEFAULT] |
|
|
CRYPT_STRENGTH = 40000 |
(IntOpt)作为关键字"rounds"传给passlib中的加密方法 |
|
关于SSL的配置 |
|
|
[signing] |
|
|
ca_certs = /etc/keystone/ssl/certs/ca.pem |
(StrOpt)签名令牌用到的CA路径 |
|
ca_key = /etc/keystone/ssl/private/cakey.pem |
(StrOpt)签名令牌用到的CA密钥的路径 |
|
cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/ |
(StrOpt)签名令牌用到的Certificate Subject |
|
certfile = /etc/keystone/ssl/certs/signing_cert.pem |
(StrOpt)签名令牌用到的证书文件 |
|
key_size = 2048 |
(IntOpt)签名令牌的证书中的密钥尺寸(单位:bit) |
|
keyfile = /etc/keystone/ssl/private/signing_key.pem |
(StrOpt)签名令牌的密钥文件路径 |
|
token_format = None |
(StrOpt)不建议使用该选项,支持使用[token]段落中的provider字段 |
|
valid_days = 3650 |
(IntOpt)签名令牌的证书有效期 |
|
[ssl] |
|
|
ca_certs = /etc/keystone/ssl/certs/ca.pem |
(StrOpt)SSL用到的CA证书文件路径 |
|
ca_key = /etc/keystone/ssl/private/cakey.pem |
(StrOpt)SSL用到的CA密钥文件路径 |
|
cert_required = False |
(BoolOpt)要求客户端证书 |
|
cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/ CN=localhost |
(StrOpt)SSL Certificate Subject |
|
certfile = /etc/keystone/ssl/certs/keystone.pem |
(StrOpt)SSL证书路径 |
|
enable = False |
(BoolOpt)keystone eventlet 服务器是否支持SSL的开关 |
|
key_size = 1024 |
(IntOpt)SSL密钥长度(单位:bit) |
|
keyfile = /etc/keystone/ssl/private/keystonekey.pem |
(StrOpt)SSL密钥文件路径 |
|
valid_days = 3650 |
(IntOpt)数字证书有效期 |
|
关于RPC的配置 |
|
|
[DEFAULT] |
|
|
allowed_rpc_exception_modules = |
(ListOpt)Modules of exceptions that are permitted to berecreated upon receiving exception data from an rpc call. |
|
关于amqp的配置 |
|
|
[DEFAULT] |
|
|
amqp_auto_delete = False |
(BoolOpt) 自动删除amqp中的队列 |
|
amqp_durable_queues = False |
(BoolOpt) 在amqp中使用持久队列 |
|
control_exchange = openstack |
(StrOpt) The default exchange under which topics are scoped. May be overridden by an exchange name specified in the transport_url option. |
|
default_publisher_id = None |
(StrOpt)Default publisher_id for outgoing notifications |
|
notification_driver = [] |
(MultiStrOpt)Driver or drivers to handle sending notifications. |
|
notification_topics = notifications |
(ListOpt)AMQP topic used for OpenStack notifications |
|
rpc_backend = rabbit |
(StrOpt)The messaging driver to use, defaults to rabbit. Other drivers include qpid and zmq. |
|
rpc_cast_timeout = 30 |
(IntOpt)Seconds to wait before a cast expires (TTL). Only supported by impl_zmq. |
|
rpc_conn_pool_size = 30 |
(IntOpt)Size of RPC connection pool |
|
rpc_response_timeout = 60 |
(IntOpt)Seconds to wait for a response from a call. |
|
rpc_thread_pool_size = 64 |
(IntOpt)Size of RPC greenthread pool. |
|
transport_url = None |
(StrOpt)A URL representing the messaging driver to use and its full configuration. If not set, we fall back to the rpc_backend option and driver specific configuration |
|
关于qpid的配置 |
|
|
[DEFAULT] |
|
|
qpid_heartbeat = 60 |
(IntOpt)Seconds between connection keepalive heartbeats. |
|
qpid_hostname = localhost |
(StrOpt)Qpid broker hostname. |
|
qpid_hosts = $qpid_hostname:$qpid_port |
(ListOpt)Qpid HA cluster host:port pairs. |
|
qpid_password = |
(StrOpt)Password for Qpid connection. |
|
qpid_port = 5672 |
(IntOpt)Qpid broker port. |
|
qpid_protocol = tcp |
(StrOpt)Transport to use, either 'tcp' or 'ssl'. |
|
qpid_sasl_mechanisms = |
(StrOpt) Space separated list of SASL mechanisms to use for auth. |
|
qpid_tcp_nodelay = True |
(BoolOpt)Whether to disable the Nagle algorithm |
|
qpid_topology_version = 1 |
(IntOpt)The qpid topology version to use. Version 1 is what was originally used by impl_qpid. Version 2 includes some backwards-incompatible changes that allow broker federation to work. Users should update to version 2 when they are able to take everything down, as it requires a clean break. |
|
qpid_username = |
(StrOpt) qpid连接的用户名 |
|
关于rabbit的配置 |
|
|
[DEFAULT] |
|
|
fake_rabbit = False |
(BoolOpt) If passed, use a fake RabbitMQ provider. |
|
kombu_reconnect_delay = 1.0 |
(FloatOpt) How long to wait before reconnecting in response to an AMQP consumer cancel notification |
|
kombu_ssl_ca_certs = |
(StrOpt) SSL certification authority file (valid only if SSL enabled) |
|
kombu_ssl_certfile = |
(StrOpt) SSL cert file (valid only if SSL enabled) |
|
kombu_ssl_keyfile = |
(StrOpt) SSL key file (valid only if SSL enabled) |
|
kombu_ssl_version = |
(StrOpt) SSL version to use (valid only if SSL enabled). valid values are TLSv1, SSLv23 and SSLv3. SSLv2 may be available on some distributions |
|
rabbit_ha_queues = False |
(BoolOpt) Use HA queues in RabbitMQ (x-ha-policy: all). If you change this option, you must wipe the RabbitMQ database. |
|
rabbit_host = localhost |
(StrOpt)The RabbitMQ broker address where a single node is used. |
|
rabbit_hosts = $rabbit_host:$rabbit_port |
(ListOpt)RabbitMQ HA cluster host:port pairs. |
|
rabbit_login_method = AMQPLAIN |
(StrOpt)the RabbitMQ login method |
|
rabbit_max_retries = 0 |
(IntOpt)Maximum number of RabbitMQ connection retries. Default is 0 (infinite retry count). |
|
rabbit_password = guest |
(StrOpt)The RabbitMQ password |
|
rabbit_port = 5672 |
(IntOpt)The RabbitMQ broker port where a single node is used. |
|
rabbit_retry_backoff = 2 |
(IntOpt)How long to backoff for between retries when connecting to RabbitMQ |
|
rabbit_retry_interval = 1 |
(IntOpt)How frequently to retry connecting with RabbitMQ |
|
rabbit_use_ssl = False |
(BoolOpt) Connect over SSL for RabbitMQ |
|
rabbit_userid = guest |
(StrOpt)RabbitMQ用户id |
|
rabbit_virtual_host = / |
(StrOpt)RabbitMQ虚拟主机 |
|
关于zeromq的配置 |
|
|
[DEFAULT] |
|
|
rpc_zmq_bind_address = * |
(StrOpt) ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP. The "host" option should point or resolve to this address. |
|
rpc_zmq_contexts = 1 |
(IntOpt) Number of ZeroMQ contexts, defaults to 1 |
|
rpc_zmq_host = oslo |
(StrOpt) Name of this node. Must be a valid hostname, FQDN, or IP address. Must match "host" option, if running Nova. |
|
rpc_zmq_ipc_dir = /var/run/openstack |
(StrOpt) Directory for holding IPC sockets |
|
rpc_zmq_matchmaker = |
(StrOpt) MatchMaker driver |
|
rpc_zmq_port = 9501 |
(IntOpt) ZeroMQ receiver listening port |
|
rpc_zmq_topic_backlog = None |
(IntOpt)Maximum number of ingress messages to locally buffer per topic. Default is unlimited |
|
关于redis的配置 |
|
|
[DEFAULT] |
|
|
host = 127.0.0.1 |
(StrOpt) Host to locate redis |
|
matchmaker_heartbeat_freq = 300 |
(IntOpt) Heartbeat frequency |
|
matchmaker_heartbeat_ttl = 600 |
(IntOpt) Heartbeat time-to-live |
|
password = None |
(StrOpt) Password for Redis server (optional). |
|
port = 6379 |
(IntOpt) Use this port to connect to redis host |
|
[matchmaker_ring] |
|
|
ringfile = /etc/oslo/matchmaker_ring.json |
(StrOpt) Matchmaker ring file (JSON). |
|
关于记录日志的配置 |
|
|
[DEFAULT] |
|
|
default_log_levels = amqp=WARN, |
(ListOpt)List of logger=LEVEL pairs |
|
instance_format = "[instance: %(uuid)s] " |
(StrOpt)If an instance is passed with the log message, format it like this |
|
instance_uuid_format = "[instance: %(uuid)s] " |
(StrOpt)If an instance UUID is passed with the log message, format it like this |
|
log_config_append = None |
(StrOpt)The name of logging configuration file. It does not disable existing loggers, but just appends specified logging configuration to any other existing logging options. Please see the Python logging module documentation for details on logging configuration files. |
|
log_date_format = %Y-%m-%d %H:%M:%S |
(StrOpt)Format string for %%(asctime)s in log records. Default: %(default)s |
|
log_dir = None |
(StrOpt) (Optional) The base directory used for relative -- log-file paths |
|
log_file = None |
(StrOpt)(Optional) Name of log file to output to. If no default is set, logging will go to stdout. |
|
log_format = None |
(StrOpt)DEPRECATED. A logging.Formatter log message format string which may use any of the available logging.LogRecord attributes. This option is deprecated. Please use logging_context_format_string and logging_default_format_string instead. |
|
logging_context_format_string = %(asctime)s. |
(StrOpt) Format string to use for log messages with context |
|
logging_debug_format_suffix = %(funcName)s |
(StrOpt) Data to append to log format when level is DEBUG |
|
logging_default_format_string = %(asctime)s.%(msecs)03d |
(StrOpt) Format string to use for log messages without context |
|
logging_exception_prefix = %(asctime)s.%(msecs)03d |
(StrOpt) Prefix each line of exception output with this format |
|
syslog_log_facility = LOG_USER |
(StrOpt) Syslog facility to receive log lin |
|
use_stderr = True |
(BoolOpt) Log output to standard error |
|
use_syslog = False |
(BoolOpt) Use syslog for logging. Existing syslog format is DEPRECATED during I, and then will be changed in J to honor RFC5424 |
|
use_syslog_rfc_format = False |
(BoolOpt) (Optional) Use syslog rfc5424 format for logging. If enabled, will add APP-NAME (RFC5424) before the MSG part of the syslog message. The old format without APP-NAME is deprecated in I, and will be removed in J. |
|
verbose = False |
(BoolOpt) Print more verbose output (set logging level to INFO instead of default WARNING level). |
|
以下为其余各个段落的说明 |
|
|
[assignment] |
|
| dirver |
(StrOpt)assignment后端驱动 |
| caching |
(BoolOpt)缓存asignment数据,除非启用全局缓存,否则本选项无效 |
| cache_time |
(IntOpt)缓存assignment数据的时间(单位:秒),除非启用全局缓存,否则本选项无效 |
| list_limit |
(IntOpt)返回的assignment集合中数据项的容量 |
|
[auth] |
|
| methods |
(ListOpt)默认的认证方法 |
| password |
(StrOpt)Password认证插件模块 |
| token |
(StrOpt)Token认证插件模块 |
| external |
(StrOpt)External(REMOTE_USER)认证插件模块 |
|
[cache] |
|
| backend |
(StrOpt) Dogpile.cache后端模块,在生产部署模式中推荐使用dogpile.cache.memcache或dog -pile.cache.redis,小规模负载情况下可以使用dogpile.cache.memory后端 |
| backend_argument |
(MultiStrOpt)传给dogpile.cache后端模块的参数,参考格式:“名:值“ |
| config_prefix |
(StrOpt)为缓冲域建立配置字典时的前缀,除非有相同配置名称dogpile.cache域,否则本选项不需要更改提供的默认值 |
| debug_cache_backend |
(BoolOpt)额外的缓存后端调试,通常为False |
| enabled |
(BoolOpt)全局缓存开关 |
| expiration_time |
(IntOpt)dogpile.cache域中的全局缓存时间(单位:秒),适用于任何没有明确标明缓存时间的非全局缓存项。 |
| proxies |
(ListOpt)可以引入的能够影响dogpile.cache后端工作的代理类, |
| use_key_mangler |
(BoolOpt)使用key-mangling function (如:SHA-1)来确保缓存键的长度统一,推荐设为True |
|
[catalog] Keystone提供两种类型的目录服务,一种是基于数据库的,一种是基于文件的,二者使用的驱动不同,不可混用。 |
|
|
template_file = default_catalog.templates |
(StrOpt)指定目录模板文件 |
|
driver = keystone.catalog.backends.sql.Catalog |
(StrOpt)目录后端驱动,还有keystone.catalog.backends.templated.Catalog |
| list_limit = None |
(IntOpt)一次返回的目录集合容量 |
|
[credential] |
|
|
driver |
(StrOpt)Credential后端驱动 |
|
[database] |
|
|
sqlite_db |
(StrOpt)使用SQLite的文件名 |
| backend |
(StrOpt)用于数据库的后端 |
| connection |
(StrOpt)连接至指定数据库的SQLAlchemy连接字符串 |
| slave_connection | |
| mysql_sql_mode |
(StrOpt)MYSQL会话使用的SQL模式,该设置覆写数据库服务器处的设置,使用 数据库服务器自带的SQL模式,这里置空不填任何值 |
| idle_timeout |
(IntOpt)重复空闲sql连接时的间隔 |
| min_pool_size |
(IntOpt)连接池的最小规模 |
| max_pool_size |
(IntOpt)连接池的最大规模 |
| max_retries |
(IntOpt)启动阶段最大数据库连接重试次数,-1代表无穷次重试 |
| retry_interval |
(IntOpt)重试启动sql连接时的间隔 |
| max_overflow |
(IntOpt)与sqlalchemy中的max_overflow相对应 |
| connection_debug |
(IntOpt)SQL调试信息的复杂程度,0是什么都不反馈,100是什么都提示 |
| connection_trace |
(BoolOpt)将python的栈踪迹(stack trace)添加到SQL中作为注释 |
| pool_timeout |
(IntOpt)与sqlalchemy中的pool_timeout相对应 |
| use_db_reconnect |
(BoolOpt)在连接丢失时启用实验性质的数据库重连 |
| db_retry_interval |
(IntOpt)数据库重连间隔(单位:秒) |
|
db_inc_retry_interval |
(BoolOpt)是否启用数据库重连增量间隔 |
| db_max_retry_interval |
(IntOpt)重连增量间隔的上限 |
| db_max_retries |
(IntOpt)最大数据库连接重试次数(-1为无穷次) |
|
[federation] |
|
|
assertion_prefix |
(StrOpt)从环境中筛选断言参数时使用的值 |
|
driver |
(StrOpt)keystone联盟后端驱动 |
|
[identity] |
|
|
default_domain_id |
(StrOpt)所有Identity API v2请求都使用的domain,专为支持v2用户保留,v3 API无法删除 |
|
domain_config_dir |
(StrOpt)下一个选项为True时,keystone用来定位domain-specific的身份配置文件 |
| domain_specific_drivers_enabled |
(BoolOpt)是否允许所有domain中的一部分拥有自己的identity驱动 |
| driver |
(StrOpt)keystone Identity后端驱动 |
| list_limit |
(IntOpt)keystone服务器返回的数据项容量 |
| max_password_length |
(IntOpt)用户密码长度上限 |
|
[kvs] |
|
|
backends |
(ListOpt)额外的dogpile.cache后端模块 |
|
config_prefix |
(StrOpt)为KVS域创建配置字典时的前缀,除非有另一个配置名称相同的dogpile.cache域,否则不推荐修改默认值 |
|
default_lock_timeout |
(IntOpt)分布式加锁的超时限制 |
|
enable_key_mangler |
(BoolOpt)推荐设置为真,同[cache]的use_key_mangler |
|
[memcache] |
|
|
max_compare_and_set_retry |
(IntOpt)使用令牌memcache后端的compare-and-set时进行尝试的次数 |
|
servers |
(ListOpt)"host:port"格式的memcache服务器 |
|
[oauth1] |
|
|
access_token_duration |
(IntOpt)OAuth访问令牌的有效期(单位:秒) |
|
driver |
(StrOpt)keystone credential后端驱动 |
|
request_token_duration |
(IntOpt)OAuth请求令牌的有效期(单位:秒) |
|
[os_inherit] |
|
| enabled |
(BoolOpt)从拥有的domain向项目继承角色指派可以有选择的开启 |
|
[revoke] |
|
|
caching |
(BoolOpt)是否开启缓存撤销事件,只有在全局缓存开启后才有效 |
|
driver |
(StrOpt)为持续的撤销事件实现的后端驱动 |
| expiration_buffer |
(IntOpt)在一个撤销事件从该后端删除前,该值(单位:秒)将被增加到token的失效期上 |
|
[stats] |
|
|
driver |
(StrOpt) Keystone stats后端驱动 |
|
[token] |
|
|
bind |
(ListOpt)需要与令牌绑定的外部认证机制,如kerberos, x.509等 |
|
cache_time |
(IntOpt)缓存令牌的时间(单位:秒) |
|
caching |
(BoolOpt)是否缓存令牌,只有在全局缓存启用后才有效 |
|
driver |
(StrOpt)令牌持久存储后端驱动 |
|
enforce_token_bind |
(StrOpt)令牌绑定信息提供给keystone的执行策略,可选值有disabled, permissive, strict, required或特别要求绑定的模式,如kerberos, x.509等 |
|
expiration |
(IntOpt)令牌有效期限(单位:秒) |
|
provider |
(StrOpt)控制着令牌的构造,验证,撤销等操作,包括pki, uuid等提供者 |
|
revocation_cache_time |
(IntOpt)缓存撤销列表的时间(单位:秒)和一旦撤销扩展被启用时的撤销事件。除非全局缓存启用否则本设置无效 |
| revoke_by_id |
(BoolOpt)通过令牌ID撤销令牌,设置为True时允许多种形式的枚举令牌。建议只在使用撤销扩展且后端驱动不是KVS时禁用该选项。 |
|
[trust] |
|
|
driver |
(StrOpt)信任后端驱动 |
|
enabled |
(BoolOpt)是否启用代理和身份扮演功能 |
|
[LDAP] |
|
|
alias_dereferencing = default |
(StrOpt) The LDAP dereferencing option for queries. This can be either "never", "searching", "always", "finding" or "default". The "default" option falls back to using default dereferencing configured by your ldap.conf. |
|
allow_subtree_delete = False |
(BoolOpt) allow deleting subtrees. |
|
chase_referrals = None |
(BoolOpt) Override the system's default referral chasing behavior for queries. |
|
dumb_member = cn=dumb,dc=nonexistent |
(StrOpt) DN of the "dummy member" to use when "use_dumb_member" is enabled. |
|
group_additional_attribute_mapping = |
(ListOpt) Additional attribute mappings for groups. Attribute mapping format is <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry and user_attr is the Identity API attribute. |
|
group_allow_create = True |
(BoolOpt) Allow group creation in LDAP backend. |
|
group_allow_delete = True |
(BoolOpt) Allow group deletion in LDAP backend |
|
group_allow_update = True |
(BoolOpt) Allow group update in LDAP backend |
|
group_attribute_ignore = |
(ListOpt) List of attributes stripped off the group on update. |
|
group_desc_attribute = description |
(StrOpt) LDAP attribute mapped to group description |
|
group_filter = None |
(StrOpt) LDAP search filter for groups |
|
group_id_attribute = cn |
(StrOpt) LDAP attribute mapped to group id. |
|
group_member_attribute = member |
(StrOpt) LDAP attribute mapped to show group membership. |
|
group_name_attribute = ou |
(StrOpt) LDAP attribute mapped to group name. |
|
group_objectclass = groupOfNames |
(StrOpt) LDAP objectClass for groups. |
|
group_tree_dn = None |
(StrOpt) Search base for groups. |
|
page_size = 0 |
(IntOpt) Maximum results per page; a value of zero ("0") disables paging |
|
password = None |
(StrOpt) Password for the BindDN to query the LDAP server. |
|
query_scope = one |
(StrOpt) The LDAP scope for queries, this can be either "one" (onelevel/singleLevel) or "sub" (subtree/wholeSubtree). |
|
role_additional_attribute_mapping = |
(ListOpt) Additional attribute mappings for roles. Attribute mapping format is <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry and user_attr is the Identity API attribute |
|
role_allow_create = True |
(BoolOpt) Allow role creation in LDAP backend. |
|
role_allow_delete = True |
(BoolOpt) Allow role deletion in LDAP backend. |
|
role_allow_update = True |
(BoolOpt) Allow role update in LDAP backend. |
|
role_attribute_ignore = |
(ListOpt) List of attributes stripped off the role on update. |
|
role_filter = None |
(StrOpt) LDAP search filter for roles. |
|
role_id_attribute = cn |
(StrOpt) LDAP attribute mapped to role id. |
|
role_member_attribute = roleOccupant |
(StrOpt) LDAP attribute mapped to role membership. |
|
role_name_attribute = ou |
(StrOpt) LDAP attribute mapped to role name. |
|
role_objectclass = organizationalRole |
(StrOpt) LDAP objectClass for roles. |
|
role_tree_dn = None |
(StrOpt) Search base for roles. |
|
suffix = cn=example,cn=com |
(StrOpt) LDAP server suffix |
|
tenant_additional_attribute_mapping = |
(ListOpt) Additional attribute mappings for projects. Attribute mapping format is <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry and user_attr is the Identity API attribute. |
|
tenant_allow_create = True |
(BoolOpt) Allow tenant creation in LDAP backend. |
|
tenant_allow_delete = True |
(BoolOpt) Allow tenant deletion in LDAP backend. |
|
tenant_allow_update = True |
(BoolOpt) Allow tenant update in LDAP backend. |
|
tenant_attribute_ignore = |
(ListOpt) List of attributes stripped off the project on update. |
|
tenant_desc_attribute = description |
(StrOpt) LDAP attribute mapped to project description. |
|
tenant_domain_id_attribute = businessCategory |
(StrOpt) LDAP attribute mapped to project domain_id. |
|
tenant_enabled_attribute = enabled |
(StrOpt) LDAP attribute mapped to project enabled |
|
tenant_enabled_emulation = False |
(BoolOpt) If True, Keystone uses an alternative method to determine if a project is enabled or not by checking if they are a member of the "tenant_enabled_emulation_dn" group. |
|
tenant_enabled_emulation_dn = None |
(StrOpt) DN of the group entry to hold enabled projects when using enabled emulation. |
|
tenant_filter = None |
(StrOpt) LDAP search filter for projects. |
|
tenant_id_attribute = cn |
(StrOpt) LDAP attribute mapped to project id. |
|
tenant_member_attribute = member |
(StrOpt) LDAP attribute mapped to project membership for user. |
|
tenant_name_attribute = ou |
(StrOpt) LDAP attribute mapped to project name. |
|
tenant_objectclass = groupOfNames |
(StrOpt) LDAP objectClass for projects. |
|
tenant_tree_dn = None |
(StrOpt) Search base for projects |
|
tls_cacertdir = None |
(StrOpt) CA certificate directory path for communicating with LDAP servers. |
|
tls_cacertfile = None |
(StrOpt) CA certificate file path for communicating with LDAP servers. |
|
tls_req_cert = demand |
(StrOpt) valid options for tls_req_cert are demand, never, and allow. |
|
url = ldap://localhost |
(StrOpt) URL for connecting to the LDAP server |
|
use_dumb_member = False |
(BoolOpt) If true, will add a dummy member to groups. This is required if the objectclass for groups requires the "member" attribute. |
|
use_tls = False |
(BoolOpt) Enable TLS for communicating with LDAP servers. |
|
user = None |
(StrOpt) User BindDN to query the LDAP server. |
|
user_additional_attribute_mapping = |
(ListOpt) List of additional LDAP attributes used for mapping Additional attribute mappings for users. Attribute mapping format is <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry and user_attr is the Identity API attribute. |
|
user_allow_create = True |
(BoolOpt) Allow user creation in LDAP backend |
|
user_allow_delete = True |
(BoolOpt) Allow user deletion in LDAP backend |
|
user_allow_update = True |
(BoolOpt) Allow user updates in LDAP backend |
|
user_attribute_ignore = default_project_id, tenants |
(ListOpt) List of attributes stripped off the user on update |
|
user_default_project_id_attribute = None |
(StrOpt) LDAP attribute mapped to default_project_id for users. |
|
user_enabled_attribute = enabled |
(StrOpt) LDAP attribute mapped to user enabled flag |
|
user_enabled_default = True |
(StrOpt) Default value to enable users. This should match an appropriate int value if the LDAP server uses nonboolean (bitmask) values to indicate if a user is enabled or disabled. If this is not set to "True"the typical value is "512". This is typically used when "user_enabled_attribute = userAccountControl". |
|
user_enabled_emulation = False |
(BoolOpt) If True, Keystone uses an alternative method to determine if a user is enabled or not by checking if they are a member of the "user_enabled_emulation_dn" gro |
|
user_enabled_emulation_dn = None |
(StrOpt) DN of the group entry to hold enabled users when using enabled emulation. |
|
user_enabled_mask = 0 |
(IntOpt) Bitmask integer to indicate the bit that the enabled value is stored in if the LDAP server represents "enabled" as a bit on an integer rather than a boolean. A value of "0" indicates the mask is not used. If this is not set to "0" the typical value is "2". This is typically used when "user_enabled_attribute = userAccountControl". |
|
user_filter = None |
(StrOpt) LDAP search filter for users. |
|
user_id_attribute = cn |
(StrOpt) LDAP attribute mapped to user id. |
|
user_mail_attribute = email |
(StrOpt) LDAP attribute mapped to user email. |
|
user_name_attribute = sn |
(StrOpt) LDAP attribute mapped to user name. |
|
user_objectclass = inetOrgPerson |
(StrOpt) LDAP objectClass for users. |
|
user_pass_attribute = userPassword |
(StrOpt) LDAP attribute mapped to password. |
|
user_tree_dn = None |
(StrOpt) Search base for users. |