diff options
author | Jose Castro Leon <jose.castro.leon@cern.ch> | 2012-10-29 15:07:58 +0100 |
---|---|---|
committer | Dolph Mathews <dolph.mathews@gmail.com> | 2012-11-13 10:37:17 -0600 |
commit | 001f708e7d9ffc69c80f823e7ab5f79325cc8a40 (patch) | |
tree | 9181d119b43770f27c8e7fff0293d18909a7f503 /doc | |
parent | 8dcafd81dfa0ccd958b614c12eee091a325ec5c4 (diff) | |
download | keystone-001f708e7d9ffc69c80f823e7ab5f79325cc8a40.tar.gz keystone-001f708e7d9ffc69c80f823e7ab5f79325cc8a40.tar.xz keystone-001f708e7d9ffc69c80f823e7ab5f79325cc8a40.zip |
Provide config file fields for enable users in LDAP backend (bug1067516)
DocImpact
Change-Id: I1ee9a1e2505cdd8c9ee8acba5c0e89a4f25c7262
Diffstat (limited to 'doc')
-rw-r--r-- | doc/source/configuration.rst | 89 |
1 files changed, 87 insertions, 2 deletions
diff --git a/doc/source/configuration.rst b/doc/source/configuration.rst index 8dc8b032..21b60b85 100644 --- a/doc/source/configuration.rst +++ b/doc/source/configuration.rst @@ -921,15 +921,26 @@ for openstack would look like this:: dn: ou=Roles,cn=openstack,cn=org objectClass: top objectClass: organizationalUnit - ou: users + ou: roles The corresponding entries in the Keystone configuration file are:: [ldap] url = ldap://localhost - suffix = dc=openstack,dc=org user = dc=Manager,dc=openstack,dc=org password = badpassword + suffix = dc=openstack,dc=org + use_dumb_member = False + allow_subtree_delete = False + + user_tree_dn = ou=Users,dc=openstack,dc=com + user_objectclass = inetOrgPerson + + tenant_tree_dn = ou=Groups,dc=openstack,dc=com + tenant_objectclass = groupOfNames + + role_tree_dn = ou=Roles,dc=example,dc=com + role_objectclass = organizationalRole The default object classes and attributes are intentionally simplistic. They reflect the common standard objects according to the LDAP RFCs. However, @@ -943,3 +954,77 @@ corresponding entries in the Keystone configuration file are:: [ldap] user_id_attribute = uidNumber user_name_attribute = cn + + +There is a set of allowed actions per object type that you can modify +depending on your specific deployment. For example, the users are managed by +another tool and you have only read access, in such case the configuration +is:: + + [ldap] + user_allow_create = False + user_allow_update = False + user_allow_delete = False + + tenant_allow_create = True + tenant_allow_update = True + tenant_allow_delete = True + + role_allow_create = True + role_allow_update = True + role_allow_delete = True + +There are some configuration options for filtering users, tenants and roles, +if the backend is providing too much output, in such case the configuration +will look like:: + + [ldap] + user_filter = (memberof=CN=openstack-users,OU=workgroups,DC=openstack,DC=com) + tenant_filter = + role_filter = + +In case that the directory server does not have an attribute enabled of type +boolean for the user, there is several configuration parameters that can be used +to extract the value from an integer attribute like in Active Directory:: + + [ldap] + user_enabled_attribute = userAccountControl + user_enabled_mask = 2 + user_enabled_default = 512 + +In this case the attribute is an integer and the enabled attribute is listed +in bit 1, so the if the mask configured *user_enabled_mask* is different from 0, +it gets the value from the field *user_enabled_attribute* and it makes an ADD +operation with the value indicated on *user_enabled_mask* and if the value matches +the mask then the account is disabled. + +It also saves the value without mask to the user identity in the attribute +*enabled_nomask*. This is needed in order to set it back in case that we need to +change it to enable/disable a user because it contains more information than the +status like password expiration. Last setting *user_enabled_mask* is needed in order +to create a default value on the integer attribute (512 = NORMAL ACCOUNT on AD) + +In case of Active Directory the classes and attributes could not match the +specified classes in the LDAP module so you can configure them like:: + + [ldap] + user_objectclass = person + user_id_attribute = cn + user_name_attribute = cn + user_mail_attribute = mail + user_enabled_attribute = userAccountControl + user_enabled_mask = 2 + user_enabled_default = 512 + user_attribute_ignore = tenant_id,tenants + tenant_objectclass = groupOfNames + tenant_id_attribute = cn + tenant_member_attribute = member + tenant_name_attribute = ou + tenant_desc_attribute = description + tenant_enabled_attribute = extensionName + tenant_attribute_ignore = + role_objectclass = organizationalRole + role_id_attribute = cn + role_name_attribute = ou + role_member_attribute = roleOccupant + role_attribute_ignore = |