X-Git-Url: https://osm.etsi.org/gitweb/?a=blobdiff_plain;f=installers%2Fcharm%2Fkeystone%2Fconfig.yaml;h=06ea060387cc5c63ebdea01e4cf012fceddcf064;hb=0be373d598b83194af8ad053975c0c096053d3c4;hp=c99d8783bd0d9f4c308685a0cade036ec1e05b7d;hpb=009a5d691dba1ec6aa8567bc27eb4d468e5e0db4;p=osm%2Fdevops.git diff --git a/installers/charm/keystone/config.yaml b/installers/charm/keystone/config.yaml index c99d8783..06ea0603 100644 --- a/installers/charm/keystone/config.yaml +++ b/installers/charm/keystone/config.yaml @@ -52,10 +52,6 @@ options: type: string description: Ingress URL default: "" - ldap_enabled: - type: boolean - description: Boolean to enable/disable LDAP authentication - default: false region_id: type: string description: Region ID to be created when starting the service @@ -97,21 +93,160 @@ options: description: | Project domain name (Hardcoded in the container start.sh script) default: default - - # ENV LDAP_AUTHENTICATION_DOMAIN_NAME no default - # ENV LDAP_URL ldap://localhost - # ENV LDAP_BIND_USER no defauslt - # ENV LDAP_BIND_PASSWORD no default - # ENV LDAP_USER_TREE_DN no default - # ENV LDAP_USER_OBJECTCLASS inetOrgPerson - # ENV LDAP_USER_ID_ATTRIBUTE cn - # ENV LDAP_USER_NAME_ATTRIBUTE sn - # ENV LDAP_USER_PASS_ATTRIBUTE userPassword - # ENV LDAP_USER_FILTER no default - # ENV LDAP_USER_ENABLED_ATTRIBUTE enabled - # ENV LDAP_USER_ENABLED_MASK 0 - # ENV LDAP_USER_ENABLED_DEFAULT true - # ENV LDAP_USER_ENABLED_INVERT false - # ENV LDAP_USE_STARTTLS false - # ENV LDAP_TLS_CACERT_BASE64 no default - # ENV LDAP_TLS_REQ_CERT demand + token_expiration: + type: int + description: Token keys expiration in seconds + default: 172800 + ldap_enabled: + type: boolean + description: Boolean to enable/disable LDAP authentication + default: false + ldap_authentication_domain_name: + type: string + description: Name of the domain which use LDAP authentication + default: "" + ldap_url: + type: string + description: URL of the LDAP server + default: "ldap://localhost" + ldap_bind_user: + type: string + description: User to bind and search for users + default: "" + ldap_bind_password: + type: string + description: Password to bind and search for users + default: "" + ldap_chase_referrals: + type: string + description: | + Sets keystone’s referral chasing behavior across directory partitions. + If left unset, the system’s default behavior will be used. + default: "" + ldap_page_size: + type: int + description: | + Defines the maximum number of results per page that keystone should + request from the LDAP server when listing objects. A value of zero (0) + disables paging. + default: 0 + ldap_user_tree_dn: + type: string + description: | + Root of the tree in LDAP server in which Keystone will search for users + default: "" + ldap_user_objectclass: + type: string + description: | + LDAP object class that Keystone will filter on within user_tree_dn to + find user objects. Any objects of other classes will be ignored. + default: inetOrgPerson + ldap_user_id_attribute: + type: string + description: | + This set of options define the mapping to LDAP attributes for the three + key user attributes supported by Keystone. The LDAP attribute chosen for + user_id must be something that is immutable for a user and no more than + 64 characters in length. Notice that Distinguished Name (DN) may be + longer than 64 characters and thus is not suitable. An uid, or mail may + be appropriate. + default: cn + ldap_user_name_attribute: + type: string + description: | + This set of options define the mapping to LDAP attributes for the three + key user attributes supported by Keystone. The LDAP attribute chosen for + user_id must be something that is immutable for a user and no more than + 64 characters in length. Notice that Distinguished Name (DN) may be + longer than 64 characters and thus is not suitable. An uid, or mail may + be appropriate. + default: sn + ldap_user_pass_attribute: + type: string + description: | + This set of options define the mapping to LDAP attributes for the three + key user attributes supported by Keystone. The LDAP attribute chosen for + user_id must be something that is immutable for a user and no more than + 64 characters in length. Notice that Distinguished Name (DN) may be + longer than 64 characters and thus is not suitable. An uid, or mail may + be appropriate. + default: userPassword + ldap_user_filter: + type: string + description: | + This filter option allow additional filter (over and above + user_objectclass) to be included into the search of user. One common use + of this is to provide more efficient searching, where the recommended + search for user objects is (&(objectCategory=person)(objectClass=user)). + By specifying user_objectclass as user and user_filter as + objectCategory=person in the Keystone configuration file, this can be + achieved. + default: "" + ldap_user_enabled_attribute: + type: string + description: | + In Keystone, a user entity can be either enabled or disabled. Setting + the above option will give a mapping to an equivalent attribute in LDAP, + allowing your LDAP management tools to disable a user. + default: enabled + ldap_user_enabled_mask: + type: int + description: | + Some LDAP schemas, rather than having a dedicated attribute for user + enablement, use a bit within a general control attribute (such as + userAccountControl) to indicate this. Setting user_enabled_mask will + cause Keystone to look at only the status of this bit in the attribute + specified by user_enabled_attribute, with the bit set indicating the + user is enabled. + default: 0 + ldap_user_enabled_default: + type: boolean + description: | + Most LDAP servers use a boolean or bit in a control field to indicate + enablement. However, some schemas might use an integer value in an + attribute. In this situation, set user_enabled_default to the integer + value that represents a user being enabled. + default: true + ldap_user_enabled_invert: + type: boolean + description: | + Some LDAP schemas have an “account locked” attribute, which is the + equivalent to account being “disabled.” In order to map this to the + Keystone enabled attribute, you can utilize the user_enabled_invert + setting in conjunction with user_enabled_attribute to map the lock + status to disabled in Keystone. + default: false + ldap_group_objectclass: + type: string + description: The LDAP object class to use for groups. + default: groupOfNames + ldap_group_tree_dn: + type: string + description: The search base to use for groups. + default: "" + ldap_use_starttls: + type: boolean + description: | + Enable Transport Layer Security (TLS) for providing a secure connection + from Keystone to LDAP (StartTLS, not LDAPS). + default: false + ldap_tls_cacert_base64: + type: string + description: | + CA certificate in Base64 format (if you have the PEM file, text inside + "-----BEGIN CERTIFICATE-----"/"-----END CERTIFICATE-----" tags). + default: "" + ldap_tls_req_cert: + type: string + description: | + Defines how the certificates are checked for validity in the client + (i.e., Keystone end) of the secure connection (this doesn’t affect what + level of checking the server is doing on the certificates it receives + from Keystone). Possible values are "demand", "never", and "allow". The + default of demand means the client always checks the certificate and + will drop the connection if it is not provided or invalid. never is the + opposite—it never checks it, nor requires it to be provided. allow means + that if it is not provided then the connection is allowed to continue, + but if it is provided it will be checked—and if invalid, the connection + will be dropped. + default: demand