Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / keystone / 3f1d7a541bf99f49030357b4e8b5c9d0301d28a4 / . / keystone / files / _ldap.conf
blob: 595ccd19715c87db8fac763fbcc12580b5e6089b [file] [log] [blame]
[ldap]
url = {{ ldap.url }}
{%- if ldap.get('auth', True) == True %}
{%- if ldap.bind_user is defined %}
user = {{ ldap.bind_user }}
{%- else %}
user = uid={{ ldap.get("uid", "keystone") }},cn=users,cn=accounts,{{ ldap.suffix }}
{%- endif %}
password = {{ ldap.password }}
{%- endif %}
suffix = {{ ldap.suffix }}
query_scope = {{ ldap.get("query_scope", "one") }}
page_size = {{ ldap.get("page_size", "0") }}
chase_referrals = {{ ldap.get("chase_referrals", False) }}
# User mapping
{%- if ldap.user_tree_dn is defined %}
user_tree_dn = {{ ldap.user_tree_dn }}
{%- else %}
user_tree_dn = cn=users,cn=accounts,{{ ldap.suffix }}
{%- endif %}
user_objectclass = {{ ldap.get("user_objectclass", "person") }}
user_id_attribute = {{ ldap.get("user_id_attribute", "uid") }}
user_name_attribute = {{ ldap.get("user_name_attribute", "uid") }}
user_mail_attribute = {{ ldap.get("user_mail_attribute", "mail") }}
user_pass_attribute = {{ ldap.get("user_pass_attribute", "password") }}
{%- if ldap.get('read_only', True) %}
user_allow_create = false
user_allow_update = false
user_allow_delete = false
{%- endif %}
user_enabled_attribute = {{ ldap.get("user_enabled_attribute", "nsAccountLock") }}
user_enabled_default = {{ ldap.get("user_enabled_default", False) }}
user_enabled_invert = {{ ldap.get("user_enabled_invert", True) }}
user_enabled_mask = {{ ldap.get("user_enabled_mask", 0) }}
{%- if ldap.get('filter', {}).get('user', False) %}
user_filter = {{ ldap.filter.user }}
{%- endif %}
{%- if ldap.user_enabled_emulation is defined %}
user_enabled_emulation = {{ ldap.user_enabled_emulation }}
{%- endif %}
{%- if ldap.user_enabled_emulation_dn is defined %}
user_enabled_emulation_dn = {{ ldap.user_enabled_emulation_dn }}
{%- endif %}
{%- if ldap.user_enabled_emulation_use_group_config is defined %}
user_enabled_emulation_use_group_config = {{ ldap.user_enabled_emulation_use_group_config }}
{%- endif %}
# Group mapping
{%- if ldap.group_tree_dn is defined %}
group_tree_dn = {{ ldap.group_tree_dn }}
{%- else %}
group_tree_dn = cn=groups,cn=accounts,{{ ldap.suffix }}
{%- endif %}
group_objectclass = {{ ldap.get("group_objectclass", "groupOfNames") }}
group_id_attribute = {{ ldap.get("group_id_attribute", "cn") }}
group_name_attribute = {{ ldap.get("group_name_attribute", "cn") }}
group_member_attribute = {{ ldap.get("group_member_attribute", "member") }}
group_desc_attribute = {{ ldap.get("group_desc_attribute", "description") }}
{%- if ldap.get('read_only', True) %}
group_allow_create = false
group_allow_update = false
group_allow_delete = false
{%- endif %}
{%- if ldap.get('filter', {}).get('group', False) %}
group_filter = {{ ldap.filter.group }}
{%- endif %}
{%- if ldap.group_members_are_ids is defined %}
group_members_are_ids = {{ ldap.group_members_are_ids }}
{%- endif %}
{%- if ldap.tls is defined %}
{%- if ldap.tls.get("enabled", False) %}
use_tls = true
{%- endif %}
{%- if ldap.tls.cacertdir is defined %}
tls_cacertdir = {{ ldap.tls.cacertdir }}
{%- endif %}
{%- if ldap.tls.cacert is defined %}
tls_cacertfile = /etc/keystone/domains/{{ domain_name }}.pem
{%- elif ldap.tls.cacertfile is defined %}
tls_cacertfile = {{ ldap.tls.cacertfile }}
{%- endif %}
{%- if ldap.tls.req_cert is defined %}
tls_req_cert = {{ ldap.tls.req_cert }}
{%- endif %}
{%- endif %}