keystone  18.0.0
About: OpenStack Keystone (Core Service: Identity) provides an authentication and authorization service for other OpenStack services. Provides a catalog of endpoints for all OpenStack services.
The "Victoria" series (maintained release).
  Fossies Dox: keystone-18.0.0.tar.gz  ("unofficial" and yet experimental doxygen-generated source code documentation)  

ldap.py
Go to the documentation of this file.
1 # Licensed under the Apache License, Version 2.0 (the "License"); you may
2 # not use this file except in compliance with the License. You may obtain
3 # a copy of the License at
4 #
5 # http://www.apache.org/licenses/LICENSE-2.0
6 #
7 # Unless required by applicable law or agreed to in writing, software
8 # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
9 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
10 # License for the specific language governing permissions and limitations
11 # under the License.
12 
13 from oslo_config import cfg
14 
15 from keystone.conf import utils
16 
17 
18 url = cfg.StrOpt(
19  'url',
20  default='ldap://localhost',
21  help=utils.fmt("""
22 URL(s) for connecting to the LDAP server. Multiple LDAP URLs may be specified
23 as a comma separated string. The first URL to successfully bind is used for the
24 connection.
25 """))
26 
27 user = cfg.StrOpt(
28  'user',
29  help=utils.fmt("""
30 The user name of the administrator bind DN to use when querying the LDAP
31 server, if your LDAP server requires it.
32 """))
33 
34 password = cfg.StrOpt(
35  'password',
36  secret=True,
37  help=utils.fmt("""
38 The password of the administrator bind DN to use when querying the LDAP server,
39 if your LDAP server requires it.
40 """))
41 
42 suffix = cfg.StrOpt(
43  'suffix',
44  default='cn=example,cn=com',
45  help=utils.fmt("""
46 The default LDAP server suffix to use, if a DN is not defined via either
47 `[ldap] user_tree_dn` or `[ldap] group_tree_dn`.
48 """))
49 
50 query_scope = cfg.StrOpt(
51  'query_scope',
52  default='one',
53  choices=['one', 'sub'],
54  help=utils.fmt("""
55 The search scope which defines how deep to search within the search base. A
56 value of `one` (representing `oneLevel` or `singleLevel`) indicates a search of
57 objects immediately below to the base object, but does not include the base
58 object itself. A value of `sub` (representing `subtree` or `wholeSubtree`)
59 indicates a search of both the base object itself and the entire subtree below
60 it.
61 """))
62 
63 page_size = cfg.IntOpt(
64  'page_size',
65  default=0,
66  min=0,
67  help=utils.fmt("""
68 Defines the maximum number of results per page that keystone should request
69 from the LDAP server when listing objects. A value of zero (`0`) disables
70 paging.
71 """))
72 
73 alias_dereferencing = cfg.StrOpt(
74  'alias_dereferencing',
75  default='default',
76  choices=['never', 'searching', 'always', 'finding', 'default'],
77  help=utils.fmt("""
78 The LDAP dereferencing option to use for queries involving aliases. A value of
79 `default` falls back to using default dereferencing behavior configured by your
80 `ldap.conf`. A value of `never` prevents aliases from being dereferenced at
81 all. A value of `searching` dereferences aliases only after name resolution. A
82 value of `finding` dereferences aliases only during name resolution. A value of
83 `always` dereferences aliases in all cases.
84 """))
85 
86 debug_level = cfg.IntOpt(
87  'debug_level',
88  min=-1,
89  help=utils.fmt("""
90 Sets the LDAP debugging level for LDAP calls. A value of 0 means that debugging
91 is not enabled. This value is a bitmask, consult your LDAP documentation for
92 possible values.
93 """))
94 
95 chase_referrals = cfg.BoolOpt(
96  'chase_referrals',
97  help=utils.fmt("""
98 Sets keystone's referral chasing behavior across directory partitions. If left
99 unset, the system's default behavior will be used.
100 """))
101 
102 user_tree_dn = cfg.StrOpt(
103  'user_tree_dn',
104  help=utils.fmt("""
105 The search base to use for users. Defaults to `ou=Users` with the `[ldap]
106 suffix` appended to it.
107 """))
108 
109 user_filter = cfg.StrOpt(
110  'user_filter',
111  help=utils.fmt("""
112 The LDAP search filter to use for users.
113 """))
114 
115 user_objectclass = cfg.StrOpt(
116  'user_objectclass',
117  default='inetOrgPerson',
118  help=utils.fmt("""
119 The LDAP object class to use for users.
120 """))
121 
122 user_id_attribute = cfg.StrOpt(
123  'user_id_attribute',
124  default='cn',
125  help=utils.fmt("""
126 The LDAP attribute mapped to user IDs in keystone. This must NOT be a
127 multivalued attribute. User IDs are expected to be globally unique across
128 keystone domains and URL-safe.
129 """))
130 
131 user_name_attribute = cfg.StrOpt(
132  'user_name_attribute',
133  default='sn',
134  help=utils.fmt("""
135 The LDAP attribute mapped to user names in keystone. User names are expected to
136 be unique only within a keystone domain and are not expected to be URL-safe.
137 """))
138 
139 user_description_attribute = cfg.StrOpt(
140  'user_description_attribute',
141  default='description',
142  help=utils.fmt("""
143 The LDAP attribute mapped to user descriptions in keystone.
144 """))
145 
146 user_mail_attribute = cfg.StrOpt(
147  'user_mail_attribute',
148  default='mail',
149  help=utils.fmt("""
150 The LDAP attribute mapped to user emails in keystone.
151 """))
152 
153 user_pass_attribute = cfg.StrOpt(
154  'user_pass_attribute',
155  default='userPassword',
156  help=utils.fmt("""
157 The LDAP attribute mapped to user passwords in keystone.
158 """))
159 
160 user_enabled_attribute = cfg.StrOpt(
161  'user_enabled_attribute',
162  default='enabled',
163  help=utils.fmt("""
164 The LDAP attribute mapped to the user enabled attribute in keystone. If setting
165 this option to `userAccountControl`, then you may be interested in setting
166 `[ldap] user_enabled_mask` and `[ldap] user_enabled_default` as well.
167 """))
168 
169 user_enabled_invert = cfg.BoolOpt(
170  'user_enabled_invert',
171  default=False,
172  help=utils.fmt("""
173 Logically negate the boolean value of the enabled attribute obtained from the
174 LDAP server. Some LDAP servers use a boolean lock attribute where "true" means
175 an account is disabled. Setting `[ldap] user_enabled_invert = true` will allow
176 these lock attributes to be used. This option will have no effect if either the
177 `[ldap] user_enabled_mask` or `[ldap] user_enabled_emulation` options are in
178 use.
179 """))
180 
181 user_enabled_mask = cfg.IntOpt(
182  'user_enabled_mask',
183  default=0,
184  min=0,
185  help=utils.fmt("""
186 Bitmask integer to select which bit indicates the enabled value if the LDAP
187 server represents "enabled" as a bit on an integer rather than as a discrete
188 boolean. A value of `0` indicates that the mask is not used. If this is not set
189 to `0` the typical value is `2`. This is typically used when `[ldap]
190 user_enabled_attribute = userAccountControl`. Setting this option causes
191 keystone to ignore the value of `[ldap] user_enabled_invert`.
192 """))
193 
194 user_enabled_default = cfg.StrOpt(
195  'user_enabled_default',
196  default='True',
197  help=utils.fmt("""
198 The default value to enable users. This should match an appropriate integer
199 value if the LDAP server uses non-boolean (bitmask) values to indicate if a
200 user is enabled or disabled. If this is not set to `True`, then the typical
201 value is `512`. This is typically used when `[ldap] user_enabled_attribute =
202 userAccountControl`.
203 """))
204 
205 user_attribute_ignore = cfg.ListOpt(
206  'user_attribute_ignore',
207  default=['default_project_id'],
208  help=utils.fmt("""
209 List of user attributes to ignore on create and update, or whether a specific
210 user attribute should be filtered for list or show user.
211 """))
212 
213 user_default_project_id_attribute = cfg.StrOpt(
214  'user_default_project_id_attribute',
215  help=utils.fmt("""
216 The LDAP attribute mapped to a user's default_project_id in keystone. This is
217 most commonly used when keystone has write access to LDAP.
218 """))
219 
220 user_enabled_emulation = cfg.BoolOpt(
221  'user_enabled_emulation',
222  default=False,
223  help=utils.fmt("""
224 If enabled, keystone uses an alternative method to determine if a user is
225 enabled or not by checking if they are a member of the group defined by the
226 `[ldap] user_enabled_emulation_dn` option. Enabling this option causes keystone
227 to ignore the value of `[ldap] user_enabled_invert`.
228 """))
229 
230 user_enabled_emulation_dn = cfg.StrOpt(
231  'user_enabled_emulation_dn',
232  help=utils.fmt("""
233 DN of the group entry to hold enabled users when using enabled emulation.
234 Setting this option has no effect unless `[ldap] user_enabled_emulation` is
235 also enabled.
236 """))
237 
238 user_enabled_emulation_use_group_config = cfg.BoolOpt(
239  'user_enabled_emulation_use_group_config',
240  default=False,
241  help=utils.fmt("""
242 Use the `[ldap] group_member_attribute` and `[ldap] group_objectclass` settings
243 to determine membership in the emulated enabled group. Enabling this option has
244 no effect unless `[ldap] user_enabled_emulation` is also enabled.
245 """))
246 
247 user_additional_attribute_mapping = cfg.ListOpt(
248  'user_additional_attribute_mapping',
249  default=[],
250  help=utils.fmt("""
251 A list of LDAP attribute to keystone user attribute pairs used for mapping
252 additional attributes to users in keystone. The expected format is
253 `<ldap_attr>:<user_attr>`, where `ldap_attr` is the attribute in the LDAP
254 object and `user_attr` is the attribute which should appear in the identity
255 API.
256 """))
257 
258 group_tree_dn = cfg.StrOpt(
259  'group_tree_dn',
260  help=utils.fmt("""
261 The search base to use for groups. Defaults to `ou=UserGroups` with the `[ldap]
262 suffix` appended to it.
263 """))
264 
265 group_filter = cfg.StrOpt(
266  'group_filter',
267  help=utils.fmt("""
268 The LDAP search filter to use for groups.
269 """))
270 
271 group_objectclass = cfg.StrOpt(
272  'group_objectclass',
273  default='groupOfNames',
274  help=utils.fmt("""
275 The LDAP object class to use for groups. If setting this option to
276 `posixGroup`, you may also be interested in enabling the `[ldap]
277 group_members_are_ids` option.
278 """))
279 
280 group_id_attribute = cfg.StrOpt(
281  'group_id_attribute',
282  default='cn',
283  help=utils.fmt("""
284 The LDAP attribute mapped to group IDs in keystone. This must NOT be a
285 multivalued attribute. Group IDs are expected to be globally unique across
286 keystone domains and URL-safe.
287 """))
288 
289 group_name_attribute = cfg.StrOpt(
290  'group_name_attribute',
291  default='ou',
292  help=utils.fmt("""
293 The LDAP attribute mapped to group names in keystone. Group names are expected
294 to be unique only within a keystone domain and are not expected to be URL-safe.
295 """))
296 
297 group_member_attribute = cfg.StrOpt(
298  'group_member_attribute',
299  default='member',
300  help=utils.fmt("""
301 The LDAP attribute used to indicate that a user is a member of the group.
302 """))
303 
304 group_members_are_ids = cfg.BoolOpt(
305  'group_members_are_ids',
306  default=False,
307  help=utils.fmt("""
308 Enable this option if the members of the group object class are keystone user
309 IDs rather than LDAP DNs. This is the case when using `posixGroup` as the group
310 object class in Open Directory.
311 """))
312 
313 group_desc_attribute = cfg.StrOpt(
314  'group_desc_attribute',
315  default='description',
316  help=utils.fmt("""
317 The LDAP attribute mapped to group descriptions in keystone.
318 """))
319 
320 group_attribute_ignore = cfg.ListOpt(
321  'group_attribute_ignore',
322  default=[],
323  help=utils.fmt("""
324 List of group attributes to ignore on create and update. or whether a specific
325 group attribute should be filtered for list or show group.
326 """))
327 
328 group_additional_attribute_mapping = cfg.ListOpt(
329  'group_additional_attribute_mapping',
330  default=[],
331  help=utils.fmt("""
332 A list of LDAP attribute to keystone group attribute pairs used for mapping
333 additional attributes to groups in keystone. The expected format is
334 `<ldap_attr>:<group_attr>`, where `ldap_attr` is the attribute in the LDAP
335 object and `group_attr` is the attribute which should appear in the identity
336 API.
337 """))
338 
339 group_ad_nesting = cfg.BoolOpt(
340  'group_ad_nesting',
341  default=False,
342  help=utils.fmt("""
343 If enabled, group queries will use Active Directory specific filters for
344 nested groups.
345 """))
346 
347 tls_cacertfile = cfg.StrOpt(
348  'tls_cacertfile',
349  help=utils.fmt("""
350 An absolute path to a CA certificate file to use when communicating with LDAP
351 servers. This option will take precedence over `[ldap] tls_cacertdir`, so there
352 is no reason to set both.
353 """))
354 
355 tls_cacertdir = cfg.StrOpt(
356  'tls_cacertdir',
357  help=utils.fmt("""
358 An absolute path to a CA certificate directory to use when communicating with
359 LDAP servers. There is no reason to set this option if you've also set `[ldap]
360 tls_cacertfile`.
361 """))
362 
363 use_tls = cfg.BoolOpt(
364  'use_tls',
365  default=False,
366  help=utils.fmt("""
367 Enable TLS when communicating with LDAP servers. You should also set the
368 `[ldap] tls_cacertfile` and `[ldap] tls_cacertdir` options when using this
369 option. Do not set this option if you are using LDAP over SSL (LDAPS) instead
370 of TLS.
371 """))
372 
373 tls_req_cert = cfg.StrOpt(
374  'tls_req_cert',
375  default='demand',
376  choices=['demand', 'never', 'allow'],
377  help=utils.fmt("""
378 Specifies which checks to perform against client certificates on incoming TLS
379 sessions. If set to `demand`, then a certificate will always be requested and
380 required from the LDAP server. If set to `allow`, then a certificate will
381 always be requested but not required from the LDAP server. If set to `never`,
382 then a certificate will never be requested.
383 """))
384 
385 connection_timeout = cfg.IntOpt(
386  'connection_timeout',
387  default=-1,
388  min=-1,
389  help=utils.fmt("""
390 The connection timeout to use with the LDAP server. A value of `-1` means that
391 connections will never timeout.
392 """))
393 
394 use_pool = cfg.BoolOpt(
395  'use_pool',
396  default=True,
397  help=utils.fmt("""
398 Enable LDAP connection pooling for queries to the LDAP server. There is
399 typically no reason to disable this.
400 """))
401 
402 pool_size = cfg.IntOpt(
403  'pool_size',
404  default=10,
405  min=1,
406  help=utils.fmt("""
407 The size of the LDAP connection pool. This option has no effect unless `[ldap]
408 use_pool` is also enabled.
409 """))
410 
411 pool_retry_max = cfg.IntOpt(
412  'pool_retry_max',
413  default=3,
414  min=0,
415  help=utils.fmt("""
416 The maximum number of times to attempt reconnecting to the LDAP server before
417 aborting. A value of zero prevents retries. This option has no effect unless
418 `[ldap] use_pool` is also enabled.
419 """))
420 
421 pool_retry_delay = cfg.FloatOpt(
422  'pool_retry_delay',
423  default=0.1,
424  help=utils.fmt("""
425 The number of seconds to wait before attempting to reconnect to the LDAP
426 server. This option has no effect unless `[ldap] use_pool` is also enabled.
427 """))
428 
429 pool_connection_timeout = cfg.IntOpt(
430  'pool_connection_timeout',
431  default=-1,
432  min=-1,
433  help=utils.fmt("""
434 The connection timeout to use when pooling LDAP connections. A value of `-1`
435 means that connections will never timeout. This option has no effect unless
436 `[ldap] use_pool` is also enabled.
437 """))
438 
439 pool_connection_lifetime = cfg.IntOpt(
440  'pool_connection_lifetime',
441  default=600,
442  min=1,
443  help=utils.fmt("""
444 The maximum connection lifetime to the LDAP server in seconds. When this
445 lifetime is exceeded, the connection will be unbound and removed from the
446 connection pool. This option has no effect unless `[ldap] use_pool` is also
447 enabled.
448 """))
449 
450 use_auth_pool = cfg.BoolOpt(
451  'use_auth_pool',
452  default=True,
453  help=utils.fmt("""
454 Enable LDAP connection pooling for end user authentication. There is typically
455 no reason to disable this.
456 """))
457 
458 auth_pool_size = cfg.IntOpt(
459  'auth_pool_size',
460  default=100,
461  min=1,
462  help=utils.fmt("""
463 The size of the connection pool to use for end user authentication. This option
464 has no effect unless `[ldap] use_auth_pool` is also enabled.
465 """))
466 
467 auth_pool_connection_lifetime = cfg.IntOpt(
468  'auth_pool_connection_lifetime',
469  default=60,
470  min=1,
471  help=utils.fmt("""
472 The maximum end user authentication connection lifetime to the LDAP server in
473 seconds. When this lifetime is exceeded, the connection will be unbound and
474 removed from the connection pool. This option has no effect unless `[ldap]
475 use_auth_pool` is also enabled.
476 """))
477 
478 
479 GROUP_NAME = __name__.split('.')[-1]
480 ALL_OPTS = [
481  url,
482  user,
483  password,
484  suffix,
485  query_scope,
486  page_size,
487  alias_dereferencing,
488  debug_level,
489  chase_referrals,
490  user_tree_dn,
491  user_filter,
492  user_objectclass,
493  user_id_attribute,
494  user_name_attribute,
495  user_description_attribute,
496  user_mail_attribute,
497  user_pass_attribute,
498  user_enabled_attribute,
499  user_enabled_invert,
500  user_enabled_mask,
501  user_enabled_default,
502  user_attribute_ignore,
503  user_default_project_id_attribute,
504  user_enabled_emulation,
505  user_enabled_emulation_dn,
506  user_enabled_emulation_use_group_config,
507  user_additional_attribute_mapping,
508  group_tree_dn,
509  group_filter,
510  group_objectclass,
511  group_id_attribute,
512  group_name_attribute,
513  group_member_attribute,
514  group_members_are_ids,
515  group_desc_attribute,
516  group_attribute_ignore,
517  group_additional_attribute_mapping,
518  group_ad_nesting,
519  tls_cacertfile,
520  tls_cacertdir,
521  use_tls,
522  tls_req_cert,
523  connection_timeout,
524  use_pool,
525  pool_size,
526  pool_retry_max,
527  pool_retry_delay,
528  pool_connection_timeout,
529  pool_connection_lifetime,
530  use_auth_pool,
531  auth_pool_size,
532  auth_pool_connection_lifetime,
533 ]
534 
535 
536 def register_opts(conf):
537  conf.register_opts(ALL_OPTS, group=GROUP_NAME)
538 
539 
540 def list_opts():
541  return {GROUP_NAME: ALL_OPTS}
keystone.conf.ldap.register_opts
def register_opts(conf)
Definition: ldap.py:536
keystone.conf.ldap.list_opts
def list_opts()
Definition: ldap.py:540
keystone.conf
Definition: __init__.py:1