"Fossies" - the Fresh Open Source Software Archive

Member "keystone-18.0.0/keystone/conf/ldap.py" (14 Oct 2020, 16831 Bytes) of package /linux/misc/openstack/keystone-18.0.0.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Python source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. For more information about "ldap.py" see the Fossies "Dox" file reference documentation and the latest Fossies "Diffs" side-by-side code changes report: 17.0.0_vs_18.0.0.

    1 # Licensed under the Apache License, Version 2.0 (the "License"); you may
    2 # not use this file except in compliance with the License. You may obtain
    3 # a copy of the License at
    4 #
    5 #      http://www.apache.org/licenses/LICENSE-2.0
    6 #
    7 # Unless required by applicable law or agreed to in writing, software
    8 # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
    9 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
   10 # License for the specific language governing permissions and limitations
   11 # under the License.
   12 
   13 from oslo_config import cfg
   14 
   15 from keystone.conf import utils
   16 
   17 
   18 url = cfg.StrOpt(
   19     'url',
   20     default='ldap://localhost',
   21     help=utils.fmt("""
   22 URL(s) for connecting to the LDAP server. Multiple LDAP URLs may be specified
   23 as a comma separated string. The first URL to successfully bind is used for the
   24 connection.
   25 """))
   26 
   27 user = cfg.StrOpt(
   28     'user',
   29     help=utils.fmt("""
   30 The user name of the administrator bind DN to use when querying the LDAP
   31 server, if your LDAP server requires it.
   32 """))
   33 
   34 password = cfg.StrOpt(
   35     'password',
   36     secret=True,
   37     help=utils.fmt("""
   38 The password of the administrator bind DN to use when querying the LDAP server,
   39 if your LDAP server requires it.
   40 """))
   41 
   42 suffix = cfg.StrOpt(
   43     'suffix',
   44     default='cn=example,cn=com',
   45     help=utils.fmt("""
   46 The default LDAP server suffix to use, if a DN is not defined via either
   47 `[ldap] user_tree_dn` or `[ldap] group_tree_dn`.
   48 """))
   49 
   50 query_scope = cfg.StrOpt(
   51     'query_scope',
   52     default='one',
   53     choices=['one', 'sub'],
   54     help=utils.fmt("""
   55 The search scope which defines how deep to search within the search base. A
   56 value of `one` (representing `oneLevel` or `singleLevel`) indicates a search of
   57 objects immediately below to the base object, but does not include the base
   58 object itself. A value of `sub` (representing `subtree` or `wholeSubtree`)
   59 indicates a search of both the base object itself and the entire subtree below
   60 it.
   61 """))
   62 
   63 page_size = cfg.IntOpt(
   64     'page_size',
   65     default=0,
   66     min=0,
   67     help=utils.fmt("""
   68 Defines the maximum number of results per page that keystone should request
   69 from the LDAP server when listing objects. A value of zero (`0`) disables
   70 paging.
   71 """))
   72 
   73 alias_dereferencing = cfg.StrOpt(
   74     'alias_dereferencing',
   75     default='default',
   76     choices=['never', 'searching', 'always', 'finding', 'default'],
   77     help=utils.fmt("""
   78 The LDAP dereferencing option to use for queries involving aliases. A value of
   79 `default` falls back to using default dereferencing behavior configured by your
   80 `ldap.conf`. A value of `never` prevents aliases from being dereferenced at
   81 all. A value of `searching` dereferences aliases only after name resolution. A
   82 value of `finding` dereferences aliases only during name resolution. A value of
   83 `always` dereferences aliases in all cases.
   84 """))
   85 
   86 debug_level = cfg.IntOpt(
   87     'debug_level',
   88     min=-1,
   89     help=utils.fmt("""
   90 Sets the LDAP debugging level for LDAP calls. A value of 0 means that debugging
   91 is not enabled. This value is a bitmask, consult your LDAP documentation for
   92 possible values.
   93 """))
   94 
   95 chase_referrals = cfg.BoolOpt(
   96     'chase_referrals',
   97     help=utils.fmt("""
   98 Sets keystone's referral chasing behavior across directory partitions. If left
   99 unset, the system's default behavior will be used.
  100 """))
  101 
  102 user_tree_dn = cfg.StrOpt(
  103     'user_tree_dn',
  104     help=utils.fmt("""
  105 The search base to use for users. Defaults to `ou=Users` with the `[ldap]
  106 suffix` appended to it.
  107 """))
  108 
  109 user_filter = cfg.StrOpt(
  110     'user_filter',
  111     help=utils.fmt("""
  112 The LDAP search filter to use for users.
  113 """))
  114 
  115 user_objectclass = cfg.StrOpt(
  116     'user_objectclass',
  117     default='inetOrgPerson',
  118     help=utils.fmt("""
  119 The LDAP object class to use for users.
  120 """))
  121 
  122 user_id_attribute = cfg.StrOpt(
  123     'user_id_attribute',
  124     default='cn',
  125     help=utils.fmt("""
  126 The LDAP attribute mapped to user IDs in keystone. This must NOT be a
  127 multivalued attribute. User IDs are expected to be globally unique across
  128 keystone domains and URL-safe.
  129 """))
  130 
  131 user_name_attribute = cfg.StrOpt(
  132     'user_name_attribute',
  133     default='sn',
  134     help=utils.fmt("""
  135 The LDAP attribute mapped to user names in keystone. User names are expected to
  136 be unique only within a keystone domain and are not expected to be URL-safe.
  137 """))
  138 
  139 user_description_attribute = cfg.StrOpt(
  140     'user_description_attribute',
  141     default='description',
  142     help=utils.fmt("""
  143 The LDAP attribute mapped to user descriptions in keystone.
  144 """))
  145 
  146 user_mail_attribute = cfg.StrOpt(
  147     'user_mail_attribute',
  148     default='mail',
  149     help=utils.fmt("""
  150 The LDAP attribute mapped to user emails in keystone.
  151 """))
  152 
  153 user_pass_attribute = cfg.StrOpt(
  154     'user_pass_attribute',
  155     default='userPassword',
  156     help=utils.fmt("""
  157 The LDAP attribute mapped to user passwords in keystone.
  158 """))
  159 
  160 user_enabled_attribute = cfg.StrOpt(
  161     'user_enabled_attribute',
  162     default='enabled',
  163     help=utils.fmt("""
  164 The LDAP attribute mapped to the user enabled attribute in keystone. If setting
  165 this option to `userAccountControl`, then you may be interested in setting
  166 `[ldap] user_enabled_mask` and `[ldap] user_enabled_default` as well.
  167 """))
  168 
  169 user_enabled_invert = cfg.BoolOpt(
  170     'user_enabled_invert',
  171     default=False,
  172     help=utils.fmt("""
  173 Logically negate the boolean value of the enabled attribute obtained from the
  174 LDAP server. Some LDAP servers use a boolean lock attribute where "true" means
  175 an account is disabled. Setting `[ldap] user_enabled_invert = true` will allow
  176 these lock attributes to be used. This option will have no effect if either the
  177 `[ldap] user_enabled_mask` or `[ldap] user_enabled_emulation` options are in
  178 use.
  179 """))
  180 
  181 user_enabled_mask = cfg.IntOpt(
  182     'user_enabled_mask',
  183     default=0,
  184     min=0,
  185     help=utils.fmt("""
  186 Bitmask integer to select which bit indicates the enabled value if the LDAP
  187 server represents "enabled" as a bit on an integer rather than as a discrete
  188 boolean. A value of `0` indicates that the mask is not used. If this is not set
  189 to `0` the typical value is `2`. This is typically used when `[ldap]
  190 user_enabled_attribute = userAccountControl`. Setting this option causes
  191 keystone to ignore the value of `[ldap] user_enabled_invert`.
  192 """))
  193 
  194 user_enabled_default = cfg.StrOpt(
  195     'user_enabled_default',
  196     default='True',
  197     help=utils.fmt("""
  198 The default value to enable users. This should match an appropriate integer
  199 value if the LDAP server uses non-boolean (bitmask) values to indicate if a
  200 user is enabled or disabled. If this is not set to `True`, then the typical
  201 value is `512`. This is typically used when `[ldap] user_enabled_attribute =
  202 userAccountControl`.
  203 """))
  204 
  205 user_attribute_ignore = cfg.ListOpt(
  206     'user_attribute_ignore',
  207     default=['default_project_id'],
  208     help=utils.fmt("""
  209 List of user attributes to ignore on create and update, or whether a specific
  210 user attribute should be filtered for list or show user.
  211 """))
  212 
  213 user_default_project_id_attribute = cfg.StrOpt(
  214     'user_default_project_id_attribute',
  215     help=utils.fmt("""
  216 The LDAP attribute mapped to a user's default_project_id in keystone. This is
  217 most commonly used when keystone has write access to LDAP.
  218 """))
  219 
  220 user_enabled_emulation = cfg.BoolOpt(
  221     'user_enabled_emulation',
  222     default=False,
  223     help=utils.fmt("""
  224 If enabled, keystone uses an alternative method to determine if a user is
  225 enabled or not by checking if they are a member of the group defined by the
  226 `[ldap] user_enabled_emulation_dn` option. Enabling this option causes keystone
  227 to ignore the value of `[ldap] user_enabled_invert`.
  228 """))
  229 
  230 user_enabled_emulation_dn = cfg.StrOpt(
  231     'user_enabled_emulation_dn',
  232     help=utils.fmt("""
  233 DN of the group entry to hold enabled users when using enabled emulation.
  234 Setting this option has no effect unless `[ldap] user_enabled_emulation` is
  235 also enabled.
  236 """))
  237 
  238 user_enabled_emulation_use_group_config = cfg.BoolOpt(
  239     'user_enabled_emulation_use_group_config',
  240     default=False,
  241     help=utils.fmt("""
  242 Use the `[ldap] group_member_attribute` and `[ldap] group_objectclass` settings
  243 to determine membership in the emulated enabled group. Enabling this option has
  244 no effect unless `[ldap] user_enabled_emulation` is also enabled.
  245 """))
  246 
  247 user_additional_attribute_mapping = cfg.ListOpt(
  248     'user_additional_attribute_mapping',
  249     default=[],
  250     help=utils.fmt("""
  251 A list of LDAP attribute to keystone user attribute pairs used for mapping
  252 additional attributes to users in keystone. The expected format is
  253 `<ldap_attr>:<user_attr>`, where `ldap_attr` is the attribute in the LDAP
  254 object and `user_attr` is the attribute which should appear in the identity
  255 API.
  256 """))
  257 
  258 group_tree_dn = cfg.StrOpt(
  259     'group_tree_dn',
  260     help=utils.fmt("""
  261 The search base to use for groups. Defaults to `ou=UserGroups` with the `[ldap]
  262 suffix` appended to it.
  263 """))
  264 
  265 group_filter = cfg.StrOpt(
  266     'group_filter',
  267     help=utils.fmt("""
  268 The LDAP search filter to use for groups.
  269 """))
  270 
  271 group_objectclass = cfg.StrOpt(
  272     'group_objectclass',
  273     default='groupOfNames',
  274     help=utils.fmt("""
  275 The LDAP object class to use for groups. If setting this option to
  276 `posixGroup`, you may also be interested in enabling the `[ldap]
  277 group_members_are_ids` option.
  278 """))
  279 
  280 group_id_attribute = cfg.StrOpt(
  281     'group_id_attribute',
  282     default='cn',
  283     help=utils.fmt("""
  284 The LDAP attribute mapped to group IDs in keystone. This must NOT be a
  285 multivalued attribute. Group IDs are expected to be globally unique across
  286 keystone domains and URL-safe.
  287 """))
  288 
  289 group_name_attribute = cfg.StrOpt(
  290     'group_name_attribute',
  291     default='ou',
  292     help=utils.fmt("""
  293 The LDAP attribute mapped to group names in keystone. Group names are expected
  294 to be unique only within a keystone domain and are not expected to be URL-safe.
  295 """))
  296 
  297 group_member_attribute = cfg.StrOpt(
  298     'group_member_attribute',
  299     default='member',
  300     help=utils.fmt("""
  301 The LDAP attribute used to indicate that a user is a member of the group.
  302 """))
  303 
  304 group_members_are_ids = cfg.BoolOpt(
  305     'group_members_are_ids',
  306     default=False,
  307     help=utils.fmt("""
  308 Enable this option if the members of the group object class are keystone user
  309 IDs rather than LDAP DNs. This is the case when using `posixGroup` as the group
  310 object class in Open Directory.
  311 """))
  312 
  313 group_desc_attribute = cfg.StrOpt(
  314     'group_desc_attribute',
  315     default='description',
  316     help=utils.fmt("""
  317 The LDAP attribute mapped to group descriptions in keystone.
  318 """))
  319 
  320 group_attribute_ignore = cfg.ListOpt(
  321     'group_attribute_ignore',
  322     default=[],
  323     help=utils.fmt("""
  324 List of group attributes to ignore on create and update. or whether a specific
  325 group attribute should be filtered for list or show group.
  326 """))
  327 
  328 group_additional_attribute_mapping = cfg.ListOpt(
  329     'group_additional_attribute_mapping',
  330     default=[],
  331     help=utils.fmt("""
  332 A list of LDAP attribute to keystone group attribute pairs used for mapping
  333 additional attributes to groups in keystone. The expected format is
  334 `<ldap_attr>:<group_attr>`, where `ldap_attr` is the attribute in the LDAP
  335 object and `group_attr` is the attribute which should appear in the identity
  336 API.
  337 """))
  338 
  339 group_ad_nesting = cfg.BoolOpt(
  340     'group_ad_nesting',
  341     default=False,
  342     help=utils.fmt("""
  343 If enabled, group queries will use Active Directory specific filters for
  344 nested groups.
  345 """))
  346 
  347 tls_cacertfile = cfg.StrOpt(
  348     'tls_cacertfile',
  349     help=utils.fmt("""
  350 An absolute path to a CA certificate file to use when communicating with LDAP
  351 servers. This option will take precedence over `[ldap] tls_cacertdir`, so there
  352 is no reason to set both.
  353 """))
  354 
  355 tls_cacertdir = cfg.StrOpt(
  356     'tls_cacertdir',
  357     help=utils.fmt("""
  358 An absolute path to a CA certificate directory to use when communicating with
  359 LDAP servers. There is no reason to set this option if you've also set `[ldap]
  360 tls_cacertfile`.
  361 """))
  362 
  363 use_tls = cfg.BoolOpt(
  364     'use_tls',
  365     default=False,
  366     help=utils.fmt("""
  367 Enable TLS when communicating with LDAP servers. You should also set the
  368 `[ldap] tls_cacertfile` and `[ldap] tls_cacertdir` options when using this
  369 option. Do not set this option if you are using LDAP over SSL (LDAPS) instead
  370 of TLS.
  371 """))
  372 
  373 tls_req_cert = cfg.StrOpt(
  374     'tls_req_cert',
  375     default='demand',
  376     choices=['demand', 'never', 'allow'],
  377     help=utils.fmt("""
  378 Specifies which checks to perform against client certificates on incoming TLS
  379 sessions. If set to `demand`, then a certificate will always be requested and
  380 required from the LDAP server. If set to `allow`, then a certificate will
  381 always be requested but not required from the LDAP server. If set to `never`,
  382 then a certificate will never be requested.
  383 """))
  384 
  385 connection_timeout = cfg.IntOpt(
  386     'connection_timeout',
  387     default=-1,
  388     min=-1,
  389     help=utils.fmt("""
  390 The connection timeout to use with the LDAP server. A value of `-1` means that
  391 connections will never timeout.
  392 """))
  393 
  394 use_pool = cfg.BoolOpt(
  395     'use_pool',
  396     default=True,
  397     help=utils.fmt("""
  398 Enable LDAP connection pooling for queries to the LDAP server. There is
  399 typically no reason to disable this.
  400 """))
  401 
  402 pool_size = cfg.IntOpt(
  403     'pool_size',
  404     default=10,
  405     min=1,
  406     help=utils.fmt("""
  407 The size of the LDAP connection pool. This option has no effect unless `[ldap]
  408 use_pool` is also enabled.
  409 """))
  410 
  411 pool_retry_max = cfg.IntOpt(
  412     'pool_retry_max',
  413     default=3,
  414     min=0,
  415     help=utils.fmt("""
  416 The maximum number of times to attempt reconnecting to the LDAP server before
  417 aborting. A value of zero prevents retries. This option has no effect unless
  418 `[ldap] use_pool` is also enabled.
  419 """))
  420 
  421 pool_retry_delay = cfg.FloatOpt(
  422     'pool_retry_delay',
  423     default=0.1,
  424     help=utils.fmt("""
  425 The number of seconds to wait before attempting to reconnect to the LDAP
  426 server. This option has no effect unless `[ldap] use_pool` is also enabled.
  427 """))
  428 
  429 pool_connection_timeout = cfg.IntOpt(
  430     'pool_connection_timeout',
  431     default=-1,
  432     min=-1,
  433     help=utils.fmt("""
  434 The connection timeout to use when pooling LDAP connections. A value of `-1`
  435 means that connections will never timeout. This option has no effect unless
  436 `[ldap] use_pool` is also enabled.
  437 """))
  438 
  439 pool_connection_lifetime = cfg.IntOpt(
  440     'pool_connection_lifetime',
  441     default=600,
  442     min=1,
  443     help=utils.fmt("""
  444 The maximum connection lifetime to the LDAP server in seconds. When this
  445 lifetime is exceeded, the connection will be unbound and removed from the
  446 connection pool. This option has no effect unless `[ldap] use_pool` is also
  447 enabled.
  448 """))
  449 
  450 use_auth_pool = cfg.BoolOpt(
  451     'use_auth_pool',
  452     default=True,
  453     help=utils.fmt("""
  454 Enable LDAP connection pooling for end user authentication. There is typically
  455 no reason to disable this.
  456 """))
  457 
  458 auth_pool_size = cfg.IntOpt(
  459     'auth_pool_size',
  460     default=100,
  461     min=1,
  462     help=utils.fmt("""
  463 The size of the connection pool to use for end user authentication. This option
  464 has no effect unless `[ldap] use_auth_pool` is also enabled.
  465 """))
  466 
  467 auth_pool_connection_lifetime = cfg.IntOpt(
  468     'auth_pool_connection_lifetime',
  469     default=60,
  470     min=1,
  471     help=utils.fmt("""
  472 The maximum end user authentication connection lifetime to the LDAP server in
  473 seconds. When this lifetime is exceeded, the connection will be unbound and
  474 removed from the connection pool. This option has no effect unless `[ldap]
  475 use_auth_pool` is also enabled.
  476 """))
  477 
  478 
  479 GROUP_NAME = __name__.split('.')[-1]
  480 ALL_OPTS = [
  481     url,
  482     user,
  483     password,
  484     suffix,
  485     query_scope,
  486     page_size,
  487     alias_dereferencing,
  488     debug_level,
  489     chase_referrals,
  490     user_tree_dn,
  491     user_filter,
  492     user_objectclass,
  493     user_id_attribute,
  494     user_name_attribute,
  495     user_description_attribute,
  496     user_mail_attribute,
  497     user_pass_attribute,
  498     user_enabled_attribute,
  499     user_enabled_invert,
  500     user_enabled_mask,
  501     user_enabled_default,
  502     user_attribute_ignore,
  503     user_default_project_id_attribute,
  504     user_enabled_emulation,
  505     user_enabled_emulation_dn,
  506     user_enabled_emulation_use_group_config,
  507     user_additional_attribute_mapping,
  508     group_tree_dn,
  509     group_filter,
  510     group_objectclass,
  511     group_id_attribute,
  512     group_name_attribute,
  513     group_member_attribute,
  514     group_members_are_ids,
  515     group_desc_attribute,
  516     group_attribute_ignore,
  517     group_additional_attribute_mapping,
  518     group_ad_nesting,
  519     tls_cacertfile,
  520     tls_cacertdir,
  521     use_tls,
  522     tls_req_cert,
  523     connection_timeout,
  524     use_pool,
  525     pool_size,
  526     pool_retry_max,
  527     pool_retry_delay,
  528     pool_connection_timeout,
  529     pool_connection_lifetime,
  530     use_auth_pool,
  531     auth_pool_size,
  532     auth_pool_connection_lifetime,
  533 ]
  534 
  535 
  536 def register_opts(conf):
  537     conf.register_opts(ALL_OPTS, group=GROUP_NAME)
  538 
  539 
  540 def list_opts():
  541     return {GROUP_NAME: ALL_OPTS}