-
Notifications
You must be signed in to change notification settings - Fork 1
/
keystone.smartcity.conf
80 lines (65 loc) · 3.15 KB
/
keystone.smartcity.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
### LDAP configuration for Keystone, based on https://docs.openstack.org/keystone/stein/admin/configuration.html#integrate-identity-with-ldap
###
### For a LDAP integration, create `smartcity` service and then
### put this file in /etc/keystone/domains/keystone.smartcity.conf
###
### In order of ajust `user`, `suffix`, `user_tree_dn`, `user_objectclass`, `group_tree_dn`, `group_object_class`
### and rest of user and groups attributes you should discover your ldap using a command like:
### ldapsearch -x -H ldap://<ldap_host> -w <ldap_admin_password> -D "cn=admin,dc=openstack,dc=org" -b "dc=openstack,dc=org"
###
[identity]
driver = ldap
[ldap]
url = ldap://<YOUR_LDAP_IP>
# To enable ldaps use:
# url = ldaps://<YOUR_LDAP_IP>:636
### Enable this to enable secure LDAP connection:
# use_tls = False # LDAPS uses SSL/TLS implicitly on port 636
### CA_FILE is the absolute path to the certificate authorities file that should be used to encrypt LDAP traffic.
# tls_cacertfile = ``CA_FILE``
### CERT_BEHAVIOR specifies what client certificate checks to perform on an incoming TLS session from the LDAP server (demand, allow, or never).
### demand - The LDAP server always receives certificate requests. The session terminates if no certificate is provided, or if the certificate provided cannot be verified against the existing certificate authorities file.
### allow - The LDAP server always receives certificate requests. The session will proceed as normal even if a certificate is not provided. If a certificate is provided but it cannot be verified against the existing certificate authorities file, the certificate will be ignored and the session will proceed as normal.
### never - A certificate will never be requested.
# tls_req_cert = ``CERT_BEHAVIOR``
### dc=openstack,dc=org could be replaced to proper chain
user = cn=admin,dc=openstack,dc=org
password = <PWD>
suffix = DC=openstack,DC=org
user_tree_dn = ou=users,dc=openstack,dc=org
#user_objectclass = inetOrgPerson
user_objectclass = shadowAccount
group_tree_dn = ou=groups,dc=openstack,dc=org
group_objectclass = groupofnames
user_allow_create = false
user_allow_update = false
user_allow_delete = false
group_allow_create = false
group_allow_update = false
group_allow_delete = false
group_id_attribute = cn
group_name_attribute = cn
group_member_attribute = member
group_desc_attribute = description
group_additional_attribute_mapping =
user_id_attribute = uid
user_name_attribute = cn
user_mail_attribute = mail
### Use query_scope to control the scope level of data presented (search only the first level or search an entire sub-tree) through LDAP.
query_scope = sub
### Use page_size to control the maximum results per page. A value of zero disables paging.
# page_size = 0
# alias_dereferencing = default
### Use alias_dereferencing to control the LDAP dereferencing option for queries.
# chase_referrals =
### Uncomment thie following sentence to enable LDAP driver debug
# debug_level = 4095
use_pool = true
pool_size = 10
pool_retry_max = 3
pool_retry_delay = 0.1
pool_connection_timeout = -1
pool_connection_lifetime = 600
use_auth_pool = true
auth_pool_size = 100
auth_pool_connection_lifetime = 60