From e4ec12e8118b92cbad9e2f287f111b6be8bb2705 Mon Sep 17 00:00:00 2001 From: Brad Topol Date: Mon, 25 Mar 2013 15:23:15 -0500 Subject: Add TLS Support for LDAP Fixes Bug1040115 added several test cases, also provides a full ldap regression suite. Also added supplemental (simple) verification for CACERTFILE and CACERTDIR added a TLS disable option when ldaps URLs are used and did full regression tests using ldaps URLs and with TLS addresses ayoung's comments addresses dolphm's and Mouad's comments addresses gyee's doc request and bknudson's comments Change-Id: I639f2853df0ce5c10ae85b06214b26430d872aca --- doc/source/configuration.rst | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) (limited to 'doc') diff --git a/doc/source/configuration.rst b/doc/source/configuration.rst index 377dfbe8..c390a7fb 100644 --- a/doc/source/configuration.rst +++ b/doc/source/configuration.rst @@ -1082,3 +1082,25 @@ specified classes in the LDAP module so you can configure them like:: role_name_attribute = ou role_member_attribute = roleOccupant role_attribute_ignore = + +If you are using a directory server to provide the Identity service, +it is strongly recommended that you utilize a secure connection from +Keystone to the directory server. In addition to supporting ldaps, Keystone +also provides Transport Layer Security (TLS) support. There are some +basic configuration options for enabling TLS, identifying a single +file or directory that contains certificates for all the Certificate +Authorities that the Keystone LDAP client will recognize, and declaring +what checks the client should perform on server certificates. This +functionality can easily be configured as follows:: + + [ldap] + use_tls = True + tls_cacertfile = /etc/keystone/ssl/certs/cacert.pem + tls_cacertdir = /etc/keystone/ssl/certs/ + tls_req_cert = demand + +A few points worth mentioning regarding the above options. If both +tls_cacertfile and tls_cacertdir are set then tls_cacertfile will be +used and tls_cacertdir is ignored. Furthermore, valid options for +tls_req_cert are demand, never, and allow. These correspond to the +standard options permitted by the TLS_REQCERT TLS option. \ No newline at end of file -- cgit