LDAP backend for default domain
diff --git a/README.rst b/README.rst
index d1f0602..73c515a 100644
--- a/README.rst
+++ b/README.rst
@@ -178,6 +178,22 @@
uid: keystone
password: cloudlab
+Using LDAP backend for default domain
+
+.. code-block:: yaml
+
+ keystone:
+ server:
+ backend: ldap
+ assignment:
+ backend: sql
+ ldap:
+ url: "ldaps://idm01.workshop.cloudlab.cz"
+ suffix: "dc=workshop,dc=cloudlab,dc=cz"
+ # Will bind as uid=keystone,cn=users,cn=accounts,dc=workshop,dc=cloudlab,dc=cz
+ uid: keystone
+ password: cloudlab
+
Read more
=========
diff --git a/keystone/files/_ldap.conf b/keystone/files/_ldap.conf
new file mode 100644
index 0000000..0c27708
--- /dev/null
+++ b/keystone/files/_ldap.conf
@@ -0,0 +1,59 @@
+
+[ldap]
+url = {{ ldap.url }}
+user = uid={{ ldap.get("uid", "keystone") }},cn=users,cn=accounts,{{ ldap.suffix }}
+password = {{ ldap.password }}
+suffix = {{ ldap.suffix }}
+
+# User mapping
+user_tree_dn = cn=users,cn=accounts,{{ ldap.suffix }}
+user_objectclass = person
+user_id_attribute = uid
+user_name_attribute = uid
+user_mail_attribute = mail
+{%- if ldap.get('read_only', True) %}
+user_allow_create = false
+user_allow_update = false
+user_allow_delete = false
+{%- endif %}
+user_enabled_attribute = nsAccountLock
+user_enabled_default = False
+user_enabled_invert = true
+{%- if ldap.get('filter', {}).get('user', False) %}
+user_filter = {{ ldap.filter.user }}
+{%- endif %}
+
+# Group mapping
+group_tree_dn = cn=groups,cn=accounts,{{ ldap.suffix }}
+group_objectclass = groupOfNames
+group_id_attribute = cn
+group_name_attribute = cn
+group_member_attribute = member
+group_desc_attribute = description
+{%- if ldap.get('read_only', True) %}
+group_allow_create = false
+group_allow_update = false
+group_allow_delete = false
+{%- endif %}
+
+{%- if ldap.tls is defined %}
+
+{%- if ldap.tls.get("enabled", False) %}
+use_tls = true
+{%- endif %}
+
+{%- if ldap.tls.cacertdir is defined %}
+tls_cacertdir = {{ ldap.tls.cacertdir }}
+{%- endif %}
+
+{%- if ldap.tls.cacert is defined %}
+tls_cacertfile = /etc/keystone/domains/{{ domain_name }}.pem
+{%- elif ldap.tls.cacertfile is defined %}
+tls_cacertfile = {{ ldap.tls.cacertfile }}
+{%- endif %}
+
+{%- if ldap.tls.req_cert is defined %}
+tls_req_cert = {{ ldap.tls.req_cert }}
+{%- endif %}
+
+{%- endif %}
diff --git a/keystone/files/keystone.domain.conf b/keystone/files/keystone.domain.conf
index 11ce373..00b6200 100644
--- a/keystone/files/keystone.domain.conf
+++ b/keystone/files/keystone.domain.conf
@@ -2,66 +2,8 @@
{%- set domain = server.domain.get(domain_name) %}
{%- if domain.get("backend", "sql") == "ldap" %}
-
-[ldap]
-url = {{ domain.ldap.url }}
-user = uid={{ domain.ldap.get("uid", "keystone") }},cn=users,cn=accounts,{{ domain.ldap.suffix }}
-password = {{ domain.ldap.password }}
-suffix = {{ domain.ldap.suffix }}
-
-# User mapping
-user_tree_dn = cn=users,cn=accounts,{{ domain.ldap.suffix }}
-user_objectclass = person
-user_id_attribute = uid
-user_name_attribute = uid
-user_mail_attribute = mail
-{%- if domain.ldap.get('read_only', True) %}
-user_allow_create = false
-user_allow_update = false
-user_allow_delete = false
-{%- endif %}
-user_enabled_attribute = nsAccountLock
-user_enabled_default = False
-user_enabled_invert = true
-{%- if domain.ldap.get('filter', {}).get('user', False) %}
-user_filter = {{ domain.ldap.filter.user }}
-{%- endif %}
-
-# Group mapping
-group_tree_dn = cn=groups,cn=accounts,{{ domain.ldap.suffix }}
-group_objectclass = groupOfNames
-group_id_attribute = cn
-group_name_attribute = cn
-group_member_attribute = member
-group_desc_attribute = description
-{%- if domain.ldap.get('read_only', True) %}
-group_allow_create = false
-group_allow_update = false
-group_allow_delete = false
-{%- endif %}
-
-{%- if domain.ldap.tls is defined %}
-
-{%- if domain.ldap.tls.get("enabled", False) %}
-use_tls = true
-{%- endif %}
-
-{%- if domain.ldap.tls.cacertdir is defined %}
-tls_cacertdir = {{ domain.ldap.tls.cacertdir }}
-{%- endif %}
-
-{%- if domain.ldap.tls.cacert is defined %}
-tls_cacertfile = /etc/keystone/domains/{{ domain_name }}.pem
-{%- elif domain.ldap.tls.cacertfile is defined %}
-tls_cacertfile = {{ domain.ldap.tls.cacertfile }}
-{%- endif %}
-
-{%- if domain.ldap.tls.req_cert is defined %}
-tls_req_cert = {{ domain.ldap.tls.req_cert }}
-{%- endif %}
-
-{%- endif %}
-
+{%- set ldap = domain.ldap %}
+{% include "keystone/files/_ldap.conf" %}
{%- endif %}
[identity]
diff --git a/keystone/files/kilo/keystone.conf.Debian b/keystone/files/kilo/keystone.conf.Debian
index 29b91dc..c9e6320 100644
--- a/keystone/files/kilo/keystone.conf.Debian
+++ b/keystone/files/kilo/keystone.conf.Debian
@@ -271,6 +271,9 @@
# Assignment backend driver. (string value)
#driver = <None>
+{%- if server.get("assignment", {}).get("backend", "sql") == "ldap" %}
+driver = keystone.assignment.backends.ldap.Assignment
+{%- endif %}
[auth]
@@ -738,8 +741,11 @@
{%- endif %}
# Identity backend driver. (string value)
-#driver = keystone.identity.backends.sql.Identity
+{%- if server.get('backend', 'sql') == 'ldap' %}
+driver = keystone.identity.backends.ldap.Identity
+{%- else %}
driver = keystone.identity.backends.sql.Identity
+{%- endif %}
# Toggle for identity caching. This has no effect unless global caching is
# enabled. (boolean value)
@@ -811,322 +817,10 @@
# Default lock timeout (in seconds) for distributed locking. (integer value)
#default_lock_timeout = 5
-
-[ldap]
-
-#
-# From keystone
-#
-
-# URL for connecting to the LDAP server. (string value)
-#url = ldap://localhost
-
-# User BindDN to query the LDAP server. (string value)
-#user = <None>
-
-# Password for the BindDN to query the LDAP server. (string value)
-#password = <None>
-
-# LDAP server suffix (string value)
-#suffix = cn=example,cn=com
-
-# If true, will add a dummy member to groups. This is required if the
-# objectclass for groups requires the "member" attribute. (boolean value)
-#use_dumb_member = false
-
-# DN of the "dummy member" to use when "use_dumb_member" is enabled. (string
-# value)
-#dumb_member = cn=dumb,dc=nonexistent
-
-# Delete subtrees using the subtree delete control. Only enable this option if
-# your LDAP server supports subtree deletion. (boolean value)
-#allow_subtree_delete = false
-
-# The LDAP scope for queries, this can be either "one" (onelevel/singleLevel)
-# or "sub" (subtree/wholeSubtree). (string value)
-#query_scope = one
-
-# Maximum results per page; a value of zero ("0") disables paging. (integer
-# value)
-#page_size = 0
-
-# The LDAP dereferencing option for queries. This can be either "never",
-# "searching", "always", "finding" or "default". The "default" option falls
-# back to using default dereferencing configured by your ldap.conf. (string
-# value)
-#alias_dereferencing = default
-
-# Sets the LDAP debugging level for LDAP calls. A value of 0 means that
-# debugging is not enabled. This value is a bitmask, consult your LDAP
-# documentation for possible values. (integer value)
-#debug_level = <None>
-
-# Override the system's default referral chasing behavior for queries. (boolean
-# value)
-#chase_referrals = <None>
-
-# Search base for users. (string value)
-#user_tree_dn = <None>
-
-# LDAP search filter for users. (string value)
-#user_filter = <None>
-
-# LDAP objectclass for users. (string value)
-#user_objectclass = inetOrgPerson
-
-# LDAP attribute mapped to user id. WARNING: must not be a multivalued
-# attribute. (string value)
-#user_id_attribute = cn
-
-# LDAP attribute mapped to user name. (string value)
-#user_name_attribute = sn
-
-# LDAP attribute mapped to user email. (string value)
-#user_mail_attribute = mail
-
-# LDAP attribute mapped to password. (string value)
-#user_pass_attribute = userPassword
-
-# LDAP attribute mapped to user enabled flag. (string value)
-#user_enabled_attribute = enabled
-
-# Invert the meaning of the boolean enabled values. Some LDAP servers use a
-# boolean lock attribute where "true" means an account is disabled. Setting
-# "user_enabled_invert = true" will allow these lock attributes to be used.
-# This setting will have no effect if "user_enabled_mask" or
-# "user_enabled_emulation" settings are in use. (boolean value)
-#user_enabled_invert = false
-
-# Bitmask integer to indicate the bit that the enabled value is stored in if
-# the LDAP server represents "enabled" as a bit on an integer rather than a
-# boolean. A value of "0" indicates the mask is not used. If this is not set to
-# "0" the typical value is "2". This is typically used when
-# "user_enabled_attribute = userAccountControl". (integer value)
-#user_enabled_mask = 0
-
-# Default value to enable users. This should match an appropriate int value if
-# the LDAP server uses non-boolean (bitmask) values to indicate if a user is
-# enabled or disabled. If this is not set to "True" the typical value is "512".
-# This is typically used when "user_enabled_attribute = userAccountControl".
-# (string value)
-#user_enabled_default = True
-
-# List of attributes stripped off the user on update. (list value)
-#user_attribute_ignore = default_project_id,tenants
-
-# LDAP attribute mapped to default_project_id for users. (string value)
-#user_default_project_id_attribute = <None>
-
-# Allow user creation in LDAP backend. (boolean value)
-#user_allow_create = true
-
-# Allow user updates in LDAP backend. (boolean value)
-#user_allow_update = true
-
-# Allow user deletion in LDAP backend. (boolean value)
-#user_allow_delete = true
-
-# If true, Keystone uses an alternative method to determine if a user is
-# enabled or not by checking if they are a member of the
-# "user_enabled_emulation_dn" group. (boolean value)
-#user_enabled_emulation = false
-
-# DN of the group entry to hold enabled users when using enabled emulation.
-# (string value)
-#user_enabled_emulation_dn = <None>
-
-# List of additional LDAP attributes used for mapping additional attribute
-# mappings for users. Attribute mapping format is <ldap_attr>:<user_attr>,
-# where ldap_attr is the attribute in the LDAP entry and user_attr is the
-# Identity API attribute. (list value)
-#user_additional_attribute_mapping =
-
-# Search base for projects (string value)
-# Deprecated group/name - [ldap]/tenant_tree_dn
-#project_tree_dn = <None>
-
-# LDAP search filter for projects. (string value)
-# Deprecated group/name - [ldap]/tenant_filter
-#project_filter = <None>
-
-# LDAP objectclass for projects. (string value)
-# Deprecated group/name - [ldap]/tenant_objectclass
-#project_objectclass = groupOfNames
-
-# LDAP attribute mapped to project id. (string value)
-# Deprecated group/name - [ldap]/tenant_id_attribute
-#project_id_attribute = cn
-
-# LDAP attribute mapped to project membership for user. (string value)
-# Deprecated group/name - [ldap]/tenant_member_attribute
-#project_member_attribute = member
-
-# LDAP attribute mapped to project name. (string value)
-# Deprecated group/name - [ldap]/tenant_name_attribute
-#project_name_attribute = ou
-
-# LDAP attribute mapped to project description. (string value)
-# Deprecated group/name - [ldap]/tenant_desc_attribute
-#project_desc_attribute = description
-
-# LDAP attribute mapped to project enabled. (string value)
-# Deprecated group/name - [ldap]/tenant_enabled_attribute
-#project_enabled_attribute = enabled
-
-# LDAP attribute mapped to project domain_id. (string value)
-# Deprecated group/name - [ldap]/tenant_domain_id_attribute
-#project_domain_id_attribute = businessCategory
-
-# List of attributes stripped off the project on update. (list value)
-# Deprecated group/name - [ldap]/tenant_attribute_ignore
-#project_attribute_ignore =
-
-# Allow project creation in LDAP backend. (boolean value)
-# Deprecated group/name - [ldap]/tenant_allow_create
-#project_allow_create = true
-
-# Allow project update in LDAP backend. (boolean value)
-# Deprecated group/name - [ldap]/tenant_allow_update
-#project_allow_update = true
-
-# Allow project deletion in LDAP backend. (boolean value)
-# Deprecated group/name - [ldap]/tenant_allow_delete
-#project_allow_delete = true
-
-# If true, Keystone uses an alternative method to determine if a project is
-# enabled or not by checking if they are a member of the
-# "project_enabled_emulation_dn" group. (boolean value)
-# Deprecated group/name - [ldap]/tenant_enabled_emulation
-#project_enabled_emulation = false
-
-# DN of the group entry to hold enabled projects when using enabled emulation.
-# (string value)
-# Deprecated group/name - [ldap]/tenant_enabled_emulation_dn
-#project_enabled_emulation_dn = <None>
-
-# Additional attribute mappings for projects. Attribute mapping format is
-# <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry
-# and user_attr is the Identity API attribute. (list value)
-# Deprecated group/name - [ldap]/tenant_additional_attribute_mapping
-#project_additional_attribute_mapping =
-
-# Search base for roles. (string value)
-#role_tree_dn = <None>
-
-# LDAP search filter for roles. (string value)
-#role_filter = <None>
-
-# LDAP objectclass for roles. (string value)
-#role_objectclass = organizationalRole
-
-# LDAP attribute mapped to role id. (string value)
-#role_id_attribute = cn
-
-# LDAP attribute mapped to role name. (string value)
-#role_name_attribute = ou
-
-# LDAP attribute mapped to role membership. (string value)
-#role_member_attribute = roleOccupant
-
-# List of attributes stripped off the role on update. (list value)
-#role_attribute_ignore =
-
-# Allow role creation in LDAP backend. (boolean value)
-#role_allow_create = true
-
-# Allow role update in LDAP backend. (boolean value)
-#role_allow_update = true
-
-# Allow role deletion in LDAP backend. (boolean value)
-#role_allow_delete = true
-
-# Additional attribute mappings for roles. Attribute mapping format is
-# <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry
-# and user_attr is the Identity API attribute. (list value)
-#role_additional_attribute_mapping =
-
-# Search base for groups. (string value)
-#group_tree_dn = <None>
-
-# LDAP search filter for groups. (string value)
-#group_filter = <None>
-
-# LDAP objectclass for groups. (string value)
-#group_objectclass = groupOfNames
-
-# LDAP attribute mapped to group id. (string value)
-#group_id_attribute = cn
-
-# LDAP attribute mapped to group name. (string value)
-#group_name_attribute = ou
-
-# LDAP attribute mapped to show group membership. (string value)
-#group_member_attribute = member
-
-# LDAP attribute mapped to group description. (string value)
-#group_desc_attribute = description
-
-# List of attributes stripped off the group on update. (list value)
-#group_attribute_ignore =
-
-# Allow group creation in LDAP backend. (boolean value)
-#group_allow_create = true
-
-# Allow group update in LDAP backend. (boolean value)
-#group_allow_update = true
-
-# Allow group deletion in LDAP backend. (boolean value)
-#group_allow_delete = true
-
-# Additional attribute mappings for groups. Attribute mapping format is
-# <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry
-# and user_attr is the Identity API attribute. (list value)
-#group_additional_attribute_mapping =
-
-# CA certificate file path for communicating with LDAP servers. (string value)
-#tls_cacertfile = <None>
-
-# CA certificate directory path for communicating with LDAP servers. (string
-# value)
-#tls_cacertdir = <None>
-
-# Enable TLS for communicating with LDAP servers. (boolean value)
-#use_tls = false
-
-# Valid options for tls_req_cert are demand, never, and allow. (string value)
-#tls_req_cert = demand
-
-# Enable LDAP connection pooling. (boolean value)
-#use_pool = false
-
-# Connection pool size. (integer value)
-#pool_size = 10
-
-# Maximum count of reconnect trials. (integer value)
-#pool_retry_max = 3
-
-# Time span in seconds to wait between two reconnect trials. (floating point
-# value)
-#pool_retry_delay = 0.1
-
-# Connector timeout in seconds. Value -1 indicates indefinite wait for
-# response. (integer value)
-#pool_connection_timeout = -1
-
-# Connection lifetime in seconds. (integer value)
-#pool_connection_lifetime = 600
-
-# Enable LDAP connection pooling for end user authentication. If use_pool is
-# disabled, then this setting is meaningless and is not used at all. (boolean
-# value)
-#use_auth_pool = false
-
-# End user auth connection pool size. (integer value)
-#auth_pool_size = 100
-
-# End user auth connection lifetime in seconds. (integer value)
-#auth_pool_connection_lifetime = 60
-
+{%- if server.get("backend", "sql") == "ldap" %}
+{%- set ldap = server.ldap %}
+{% include "keystone/files/_ldap.conf" %}
+{%- endif %}
[matchmaker_redis]
diff --git a/keystone/files/liberty/keystone.conf.Debian b/keystone/files/liberty/keystone.conf.Debian
index 9e06d1b..b706f95 100644
--- a/keystone/files/liberty/keystone.conf.Debian
+++ b/keystone/files/liberty/keystone.conf.Debian
@@ -284,6 +284,9 @@
# specified, the identity driver will choose the assignment driver. (string
# value)
#driver = <None>
+{%- if server.get("assignment", {}).get("backend", "sql") == "ldap" %}
+driver = ldap
+{%- endif %}
[auth]
@@ -865,8 +868,11 @@
# Entrypoint for the identity backend driver in the keystone.identity
# namespace. Supplied drivers are ldap and sql. (string value)
-#driver = sql
+{%- if server.get('backend', 'sql') == 'ldap' %}
+driver = ldap
+{%- else %}
driver = sql
+{%- endif %}
# Toggle for identity caching. This has no effect unless global caching is
# enabled. (boolean value)
@@ -940,378 +946,10 @@
# Default lock timeout (in seconds) for distributed locking. (integer value)
#default_lock_timeout = 5
-
-[ldap]
-
-#
-# From keystone
-#
-
-# URL for connecting to the LDAP server. (string value)
-#url = ldap://localhost
-
-# User BindDN to query the LDAP server. (string value)
-#user = <None>
-
-# Password for the BindDN to query the LDAP server. (string value)
-#password = <None>
-
-# LDAP server suffix (string value)
-#suffix = cn=example,cn=com
-
-# If true, will add a dummy member to groups. This is required if the
-# objectclass for groups requires the "member" attribute. (boolean value)
-#use_dumb_member = false
-
-# DN of the "dummy member" to use when "use_dumb_member" is enabled. (string
-# value)
-#dumb_member = cn=dumb,dc=nonexistent
-
-# Delete subtrees using the subtree delete control. Only enable this option if
-# your LDAP server supports subtree deletion. (boolean value)
-#allow_subtree_delete = false
-
-# The LDAP scope for queries, "one" represents oneLevel/singleLevel and "sub"
-# represents subtree/wholeSubtree options. (string value)
-# Allowed values: one, sub
-#query_scope = one
-
-# Maximum results per page; a value of zero ("0") disables paging. (integer
-# value)
-#page_size = 0
-
-# The LDAP dereferencing option for queries. The "default" option falls back to
-# using default dereferencing configured by your ldap.conf. (string value)
-# Allowed values: never, searching, always, finding, default
-#alias_dereferencing = default
-
-# Sets the LDAP debugging level for LDAP calls. A value of 0 means that
-# debugging is not enabled. This value is a bitmask, consult your LDAP
-# documentation for possible values. (integer value)
-#debug_level = <None>
-
-# Override the system's default referral chasing behavior for queries. (boolean
-# value)
-#chase_referrals = <None>
-
-# Search base for users. Defaults to the suffix value. (string value)
-#user_tree_dn = <None>
-
-# LDAP search filter for users. (string value)
-#user_filter = <None>
-
-# LDAP objectclass for users. (string value)
-#user_objectclass = inetOrgPerson
-
-# LDAP attribute mapped to user id. WARNING: must not be a multivalued
-# attribute. (string value)
-#user_id_attribute = cn
-
-# LDAP attribute mapped to user name. (string value)
-#user_name_attribute = sn
-
-# LDAP attribute mapped to user email. (string value)
-#user_mail_attribute = mail
-
-# LDAP attribute mapped to password. (string value)
-#user_pass_attribute = userPassword
-
-# LDAP attribute mapped to user enabled flag. (string value)
-#user_enabled_attribute = enabled
-
-# Invert the meaning of the boolean enabled values. Some LDAP servers use a
-# boolean lock attribute where "true" means an account is disabled. Setting
-# "user_enabled_invert = true" will allow these lock attributes to be used.
-# This setting will have no effect if "user_enabled_mask" or
-# "user_enabled_emulation" settings are in use. (boolean value)
-#user_enabled_invert = false
-
-# Bitmask integer to indicate the bit that the enabled value is stored in if
-# the LDAP server represents "enabled" as a bit on an integer rather than a
-# boolean. A value of "0" indicates the mask is not used. If this is not set to
-# "0" the typical value is "2". This is typically used when
-# "user_enabled_attribute = userAccountControl". (integer value)
-#user_enabled_mask = 0
-
-# Default value to enable users. This should match an appropriate int value if
-# the LDAP server uses non-boolean (bitmask) values to indicate if a user is
-# enabled or disabled. If this is not set to "True" the typical value is "512".
-# This is typically used when "user_enabled_attribute = userAccountControl".
-# (string value)
-#user_enabled_default = True
-
-# List of attributes stripped off the user on update. (list value)
-#user_attribute_ignore = default_project_id
-
-# LDAP attribute mapped to default_project_id for users. (string value)
-#user_default_project_id_attribute = <None>
-
-# Allow user creation in LDAP backend. (boolean value)
-#user_allow_create = true
-
-# Allow user updates in LDAP backend. (boolean value)
-#user_allow_update = true
-
-# Allow user deletion in LDAP backend. (boolean value)
-#user_allow_delete = true
-
-# If true, Keystone uses an alternative method to determine if a user is
-# enabled or not by checking if they are a member of the
-# "user_enabled_emulation_dn" group. (boolean value)
-#user_enabled_emulation = false
-
-# DN of the group entry to hold enabled users when using enabled emulation.
-# (string value)
-#user_enabled_emulation_dn = <None>
-
-# List of additional LDAP attributes used for mapping additional attribute
-# mappings for users. Attribute mapping format is <ldap_attr>:<user_attr>,
-# where ldap_attr is the attribute in the LDAP entry and user_attr is the
-# Identity API attribute. (list value)
-#user_additional_attribute_mapping =
-
-# Search base for projects. Defaults to the suffix value. (string value)
-# Deprecated group/name - [ldap]/tenant_tree_dn
-# This option is deprecated for removal.
-# Its value may be silently ignored in the future.
-#project_tree_dn = <None>
-
-# LDAP search filter for projects. (string value)
-# Deprecated group/name - [ldap]/tenant_filter
-# This option is deprecated for removal.
-# Its value may be silently ignored in the future.
-#project_filter = <None>
-
-# LDAP objectclass for projects. (string value)
-# Deprecated group/name - [ldap]/tenant_objectclass
-# This option is deprecated for removal.
-# Its value may be silently ignored in the future.
-#project_objectclass = groupOfNames
-
-# LDAP attribute mapped to project id. (string value)
-# Deprecated group/name - [ldap]/tenant_id_attribute
-# This option is deprecated for removal.
-# Its value may be silently ignored in the future.
-#project_id_attribute = cn
-
-# LDAP attribute mapped to project membership for user. (string value)
-# Deprecated group/name - [ldap]/tenant_member_attribute
-# This option is deprecated for removal.
-# Its value may be silently ignored in the future.
-#project_member_attribute = member
-
-# LDAP attribute mapped to project name. (string value)
-# Deprecated group/name - [ldap]/tenant_name_attribute
-# This option is deprecated for removal.
-# Its value may be silently ignored in the future.
-#project_name_attribute = ou
-
-# LDAP attribute mapped to project description. (string value)
-# Deprecated group/name - [ldap]/tenant_desc_attribute
-# This option is deprecated for removal.
-# Its value may be silently ignored in the future.
-#project_desc_attribute = description
-
-# LDAP attribute mapped to project enabled. (string value)
-# Deprecated group/name - [ldap]/tenant_enabled_attribute
-# This option is deprecated for removal.
-# Its value may be silently ignored in the future.
-#project_enabled_attribute = enabled
-
-# LDAP attribute mapped to project domain_id. (string value)
-# Deprecated group/name - [ldap]/tenant_domain_id_attribute
-# This option is deprecated for removal.
-# Its value may be silently ignored in the future.
-#project_domain_id_attribute = businessCategory
-
-# List of attributes stripped off the project on update. (list value)
-# Deprecated group/name - [ldap]/tenant_attribute_ignore
-# This option is deprecated for removal.
-# Its value may be silently ignored in the future.
-#project_attribute_ignore =
-
-# Allow project creation in LDAP backend. (boolean value)
-# Deprecated group/name - [ldap]/tenant_allow_create
-# This option is deprecated for removal.
-# Its value may be silently ignored in the future.
-#project_allow_create = true
-
-# Allow project update in LDAP backend. (boolean value)
-# Deprecated group/name - [ldap]/tenant_allow_update
-# This option is deprecated for removal.
-# Its value may be silently ignored in the future.
-#project_allow_update = true
-
-# Allow project deletion in LDAP backend. (boolean value)
-# Deprecated group/name - [ldap]/tenant_allow_delete
-# This option is deprecated for removal.
-# Its value may be silently ignored in the future.
-#project_allow_delete = true
-
-# If true, Keystone uses an alternative method to determine if a project is
-# enabled or not by checking if they are a member of the
-# "project_enabled_emulation_dn" group. (boolean value)
-# Deprecated group/name - [ldap]/tenant_enabled_emulation
-# This option is deprecated for removal.
-# Its value may be silently ignored in the future.
-#project_enabled_emulation = false
-
-# DN of the group entry to hold enabled projects when using enabled emulation.
-# (string value)
-# Deprecated group/name - [ldap]/tenant_enabled_emulation_dn
-# This option is deprecated for removal.
-# Its value may be silently ignored in the future.
-#project_enabled_emulation_dn = <None>
-
-# Additional attribute mappings for projects. Attribute mapping format is
-# <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry
-# and user_attr is the Identity API attribute. (list value)
-# Deprecated group/name - [ldap]/tenant_additional_attribute_mapping
-# This option is deprecated for removal.
-# Its value may be silently ignored in the future.
-#project_additional_attribute_mapping =
-
-# Search base for roles. Defaults to the suffix value. (string value)
-# This option is deprecated for removal.
-# Its value may be silently ignored in the future.
-#role_tree_dn = <None>
-
-# LDAP search filter for roles. (string value)
-# This option is deprecated for removal.
-# Its value may be silently ignored in the future.
-#role_filter = <None>
-
-# LDAP objectclass for roles. (string value)
-# This option is deprecated for removal.
-# Its value may be silently ignored in the future.
-#role_objectclass = organizationalRole
-
-# LDAP attribute mapped to role id. (string value)
-# This option is deprecated for removal.
-# Its value may be silently ignored in the future.
-#role_id_attribute = cn
-
-# LDAP attribute mapped to role name. (string value)
-# This option is deprecated for removal.
-# Its value may be silently ignored in the future.
-#role_name_attribute = ou
-
-# LDAP attribute mapped to role membership. (string value)
-# This option is deprecated for removal.
-# Its value may be silently ignored in the future.
-#role_member_attribute = roleOccupant
-
-# List of attributes stripped off the role on update. (list value)
-# This option is deprecated for removal.
-# Its value may be silently ignored in the future.
-#role_attribute_ignore =
-
-# Allow role creation in LDAP backend. (boolean value)
-# This option is deprecated for removal.
-# Its value may be silently ignored in the future.
-#role_allow_create = true
-
-# Allow role update in LDAP backend. (boolean value)
-# This option is deprecated for removal.
-# Its value may be silently ignored in the future.
-#role_allow_update = true
-
-# Allow role deletion in LDAP backend. (boolean value)
-# This option is deprecated for removal.
-# Its value may be silently ignored in the future.
-#role_allow_delete = true
-
-# Additional attribute mappings for roles. Attribute mapping format is
-# <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry
-# and user_attr is the Identity API attribute. (list value)
-# This option is deprecated for removal.
-# Its value may be silently ignored in the future.
-#role_additional_attribute_mapping =
-
-# Search base for groups. Defaults to the suffix value. (string value)
-#group_tree_dn = <None>
-
-# LDAP search filter for groups. (string value)
-#group_filter = <None>
-
-# LDAP objectclass for groups. (string value)
-#group_objectclass = groupOfNames
-
-# LDAP attribute mapped to group id. (string value)
-#group_id_attribute = cn
-
-# LDAP attribute mapped to group name. (string value)
-#group_name_attribute = ou
-
-# LDAP attribute mapped to show group membership. (string value)
-#group_member_attribute = member
-
-# LDAP attribute mapped to group description. (string value)
-#group_desc_attribute = description
-
-# List of attributes stripped off the group on update. (list value)
-#group_attribute_ignore =
-
-# Allow group creation in LDAP backend. (boolean value)
-#group_allow_create = true
-
-# Allow group update in LDAP backend. (boolean value)
-#group_allow_update = true
-
-# Allow group deletion in LDAP backend. (boolean value)
-#group_allow_delete = true
-
-# Additional attribute mappings for groups. Attribute mapping format is
-# <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry
-# and user_attr is the Identity API attribute. (list value)
-#group_additional_attribute_mapping =
-
-# CA certificate file path for communicating with LDAP servers. (string value)
-#tls_cacertfile = <None>
-
-# CA certificate directory path for communicating with LDAP servers. (string
-# value)
-#tls_cacertdir = <None>
-
-# Enable TLS for communicating with LDAP servers. (boolean value)
-#use_tls = false
-
-# Specifies what checks to perform on client certificates in an incoming TLS
-# session. (string value)
-# Allowed values: demand, never, allow
-#tls_req_cert = demand
-
-# Enable LDAP connection pooling. (boolean value)
-#use_pool = false
-
-# Connection pool size. (integer value)
-#pool_size = 10
-
-# Maximum count of reconnect trials. (integer value)
-#pool_retry_max = 3
-
-# Time span in seconds to wait between two reconnect trials. (floating point
-# value)
-#pool_retry_delay = 0.1
-
-# Connector timeout in seconds. Value -1 indicates indefinite wait for
-# response. (integer value)
-#pool_connection_timeout = -1
-
-# Connection lifetime in seconds. (integer value)
-#pool_connection_lifetime = 600
-
-# Enable LDAP connection pooling for end user authentication. If use_pool is
-# disabled, then this setting is meaningless and is not used at all. (boolean
-# value)
-#use_auth_pool = false
-
-# End user auth connection pool size. (integer value)
-#auth_pool_size = 100
-
-# End user auth connection lifetime in seconds. (integer value)
-#auth_pool_connection_lifetime = 60
-
+{%- if server.get("backend", "sql") == "ldap" %}
+{%- set ldap = server.ldap %}
+{% include "keystone/files/_ldap.conf" %}
+{%- endif %}
[matchmaker_redis]