Update 06-osm-platform-configuration.md (47f667b6) · Commits · osm-doc / OSM User Guide

06-osm-platform-configuration.md

+2 −2

Original line number	Diff line number	Diff line
		@@ -120,10 +120,10 @@ The Keystone component will configure itself at startup time using a few environ

		- `LDAP_AUTHENTICATION_DOMAIN_NAME`: name of the domain which use LDAP authentication
		- `LDAP_URL`: URL of the LDAP server
		- `LDAP_BIND_USER` and `LDAP_BIND_PASSWORD`: This is the user/password to bind and search for users. If not specified, the user accessing Keystone needs to have anonymous query rights to the dn_tree specified in the next configuration option.
		- `LDAP_BIND_USER` and `LDAP_BIND_PASSWORD`: This is the user/password to bind and search for users. If not specified, the user accessing Keystone needs to have anonymous query rights to the dn_tree specified in the next configuration option.
		- `LDAP_USER_TREE_DN`: This specifies the root of the tree in the LDAP server in which Keystone will search for users.
		- `LDAP_USER_OBJECTCLASS`: This specifies the LDAP object class that Keystone will filter on within user_tree_dn to find user objects. Any objects of other classes will be ignored.
		- `LDAP_USER_ID_ATTRIBUTE`, `LDAP_USER_NAME_ATTRIBUTE` and `LDAP_USER_PASS_ATTRIBUTE`: This set of options define the mapping to LDAP attributes for the three key user attributes supported by Keystone. The LDAP attribute chosen for user_id must be something that is immutable for a user and no more than 64 characters in length. Notice that Distinguished Name (DN) may be longer than 64 characters and thus is not suitable. An uid, or mail may be appropriate.
		- `LDAP_USER_ID_ATTRIBUTE`, `LDAP_USER_NAME_ATTRIBUTE` and `LDAP_USER_PASS_ATTRIBUTE`: This set of options define the mapping to LDAP attributes for the three key user attributes supported by Keystone. The LDAP attribute chosen for user_id must be something that is immutable for a user and no more than 64 characters in length. Notice that Distinguished Name (DN) may be longer than 64 characters and thus is not suitable. An uid, or mail may be appropriate.
		- `LDAP_USER_FILTER`: This filter option allow additional filter (over and above user_objectclass) to be included into the search of user. One common use of this is to provide more efficient searching, where the recommended search for user objects is (&(objectCategory=person)(objectClass=user)). By specifying user_objectclass as user and user_filter as objectCategory=person in the Keystone configuration file, this can be achieved.
		- `LDAP_USER_ENABLED_ATTRIBUTE`: In Keystone, a user entity can be either enabled or disabled. Setting the above option will give a mapping to an equivalent attribute in LDAP, allowing your LDAP management tools to disable a user.
		- `LDAP_USER_ENABLED_MASK`: Some LDAP schemas, rather than having a dedicated attribute for user enablement, use a bit within a general control attribute (such as userAccountControl) to indicate this. Setting user_enabled_mask will cause Keystone to look at only the status of this bit in the attribute specified by user_enabled_attribute, with the bit set indicating the user is enabled.

Original line number	Diff line number	Diff line
		@@ -120,10 +120,10 @@ The Keystone component will configure itself at startup time using a few environ

		- `LDAP_AUTHENTICATION_DOMAIN_NAME`: name of the domain which use LDAP authentication
		- `LDAP_URL`: URL of the LDAP server
		- `LDAP_BIND_USER` and `LDAP_BIND_PASSWORD`: This is the user/password to bind and search for users. If not specified, the user accessing Keystone needs to have anonymous query rights to the dn_tree specified in the next configuration option.
		- `LDAP_BIND_USER` and `LDAP_BIND_PASSWORD`: This is the user/password to bind and search for users. If not specified, the user accessing Keystone needs to have anonymous query rights to the dn_tree specified in the next configuration option.
		- `LDAP_USER_TREE_DN`: This specifies the root of the tree in the LDAP server in which Keystone will search for users.
		- `LDAP_USER_OBJECTCLASS`: This specifies the LDAP object class that Keystone will filter on within user_tree_dn to find user objects. Any objects of other classes will be ignored.
		- `LDAP_USER_ID_ATTRIBUTE`, `LDAP_USER_NAME_ATTRIBUTE` and `LDAP_USER_PASS_ATTRIBUTE`: This set of options define the mapping to LDAP attributes for the three key user attributes supported by Keystone. The LDAP attribute chosen for user_id must be something that is immutable for a user and no more than 64 characters in length. Notice that Distinguished Name (DN) may be longer than 64 characters and thus is not suitable. An uid, or mail may be appropriate.
		- `LDAP_USER_ID_ATTRIBUTE`, `LDAP_USER_NAME_ATTRIBUTE` and `LDAP_USER_PASS_ATTRIBUTE`: This set of options define the mapping to LDAP attributes for the three key user attributes supported by Keystone. The LDAP attribute chosen for user_id must be something that is immutable for a user and no more than 64 characters in length. Notice that Distinguished Name (DN) may be longer than 64 characters and thus is not suitable. An uid, or mail may be appropriate.
		- `LDAP_USER_FILTER`: This filter option allow additional filter (over and above user_objectclass) to be included into the search of user. One common use of this is to provide more efficient searching, where the recommended search for user objects is (&(objectCategory=person)(objectClass=user)). By specifying user_objectclass as user and user_filter as objectCategory=person in the Keystone configuration file, this can be achieved.
		- `LDAP_USER_ENABLED_ATTRIBUTE`: In Keystone, a user entity can be either enabled or disabled. Setting the above option will give a mapping to an equivalent attribute in LDAP, allowing your LDAP management tools to disable a user.
		- `LDAP_USER_ENABLED_MASK`: Some LDAP schemas, rather than having a dedicated attribute for user enablement, use a bit within a general control attribute (such as userAccountControl) to indicate this. Setting user_enabled_mask will cause Keystone to look at only the status of this bit in the attribute specified by user_enabled_attribute, with the bit set indicating the user is enabled.