Juno 版 Keystone 主配置文件 keystone.conf 詳解

　　本文全面解讀Icehouse發行版keystone的配置文件keystone.conf，由於從keystone提供的服務或依賴的基礎設施角度入手，因此[DEFAULT]部分可能被拆分到很多子塊中。

 

關於API的配置
[DEFAULT]
admin_bind_host = 0.0.0.0	(StrOpt)admin服務監聽的IP地址
admin_endpoint = None	(StrOpt)廣播給其他服務的keystone管理終端URL
admin_port = 35357	(IntOpt)admin服務監聽的端口
admin_token = ADMIN	(StrOpt) 管理員令牌，建議在生產模式中禁用（如在keystone-paste.ini文件中刪除AdminTokenAuthMiddleware）
compute_port = 8774	(IntOpt)計算服務監聽的端口
domain_id_immutable = True	(BoolOpt)是否可以通過修改domain_id來在域間移動用戶，組和工程
list_limit = None	(IntOpt)限制響應返回的最大容量
max_param_size = 64	(IntOpt)用戶/租戶的ID或名稱的最大長度
max_request_body_size= 114688	(IntOpt)最大請求限制，由可選的尺寸限制中間件來實現，如keystone.middleware:RequestBodySizeLimiter
max_token_size = 8192	(IntOpt)專門針對令牌的長度限制
member_role_id	(StrOpt)
member_role_name=_member_
public_bind_host=0.0.0.0	(StrOpt)公共服務監聽的IP地址
public_endpoint=None	(StrOpt)廣播給其他服務的keystone公共終端URL
public_port = 5000	(IntOpt)公共服務監聽的端口
tcp_keepalive = False	(BoolOpt)能夠控制服務器端socket中TCP_KEEPALIVE是否啟用的開關
tcp_keepidle = 600	(IntOpt)在上一個選項是True的情況下，為每一個服務器socket設定TCP_KEEPIDLE的值
[endpoint_filter]
driver = keystone.contrib.endpoint_filter.backends.sql.EndpointFilter	(StrOpt)終端過濾的后端驅動程序
return_all_endpoints_if_no_filter = True	(BoolOpt)是否決定如果沒有過濾器存在，就返回所有活動的終端
[paste_deploy]
config_file = keystone-paste.ini	(StrOpt)paste配置文件的名稱
關於調試的配置
[DEFAULT]
backdoor_port = None	(StrOpt)Enable eventlet backdoor. Acceptable values are 0, <port>, and <start>:<end>, where 0 results in listening on a random tcp port number; <port> results in listening on the specified port number (and not enabling backdoor if that port is in use); and <start>:<end> results in listening on the smallest unused port number within the specified range of port numbers. The chosen port is displayed in theservice's log file.
debug = False	(BoolOpt)打印調試輸出，將日志等級設置為DEBUG而不是默認的WARNING等級
disable_process_locking = False	(BoolOpt)是否禁用進程間鎖
fatal_deprecation = False	(BoolOpt)Make deprecations fatal
publish_errors = False	(BoolOpt)公布error events
pydev_debug_host = None	(StrOpt)連接遠程調試器的主機
pydev_debug_port = None	(IntOpt)連接遠程調試器的端口
standard_threads = False	(BoolOpt)不要猴子補丁線程系統的模塊
[audit]
namespace = openstack	(StrOpt)生成的ID的命名空間前綴
關於EC2的配置
[DEFAULT]
keystone_ec2_cafile = None	(StrOpt)用來驗證HTTPS連接的PEM編碼的CA，默認為系統CAs
keystone_ec2_certfile = None	(StrOpt)客戶端證書密鑰文件，如果EC2服務器要求驗證客戶端證書的話則本文件就是必須的
keystone_ec2_insecure = False	(BoolOpt)是否禁用SSL證書驗證，False是啟用，True是禁用（即不安全的）
keystone_ec2_keyfile = None	(StrOpt)如果EC2服務器要求驗證客戶端證書的話，該文件是必須的
keystone_ec2_url =  http://localhost:5000/v2.0/ec2tokens	(StrOpt)從EC2請求中獲取token的URL
[ec2]
driver = keystone.contrib.ec2.backends.kvs.Ec2	(StrOpt)keystone EC2Credential 后端驅動
關於misc的配置
[DEFAULT]
lock_path = None	(StrOpt)鎖文件存放的目錄
關於通告（notification）的配置
[DEFAULT]
onready = None	(StrOpt)當一個進程就緒時，本選項允許其發送一條通知，比如采取systemd通知的話，可以在等號后設置shell “systemd-notify --ready”或者一個擁有notify()方法的模塊，如：keystone.common.systemd
關於策略（Policy）的配置
[DEFAULT]
policy_default_rule = default	(StrOpt)請求的規則不存在時執行的規則
policy_file = policy.json	(StrOpt)包含訪問控制策略的JSON文件
[policy]
driver = keystone.policy.backends.sql.Policy	(StrOpt)keystone策略后端驅動
list_limit = None	(IntOpt)返回策略集的容量上限
關於密碼安全性的配置
[DEFAULT]
CRYPT_STRENGTH = 40000	(IntOpt)作為關鍵字"rounds"傳給passlib中的加密方法
關於SSL的配置
[signing]
ca_certs = /etc/keystone/ssl/certs/ca.pem	(StrOpt)簽名令牌用到的CA路徑
ca_key = /etc/keystone/ssl/private/cakey.pem	(StrOpt)簽名令牌用到的CA密鑰的路徑
cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/ CN=www.example.com	(StrOpt)簽名令牌用到的Certificate Subject
certfile = /etc/keystone/ssl/certs/signing_cert.pem	(StrOpt)簽名令牌用到的證書文件
key_size = 2048	(IntOpt)簽名令牌的證書中的密鑰尺寸（單位：bit）
keyfile = /etc/keystone/ssl/private/signing_key.pem	(StrOpt)簽名令牌的密鑰文件路徑
token_format = None	(StrOpt)不建議使用該選項，支持使用[token]段落中的provider字段
valid_days = 3650	(IntOpt)簽名令牌的證書有效期
[ssl]
ca_certs = /etc/keystone/ssl/certs/ca.pem	(StrOpt)SSL用到的CA證書文件路徑
ca_key = /etc/keystone/ssl/private/cakey.pem	(StrOpt)SSL用到的CA密鑰文件路徑
cert_required = False	(BoolOpt)要求客戶端證書
cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/ CN=localhost	(StrOpt)SSL Certificate Subject
certfile = /etc/keystone/ssl/certs/keystone.pem	(StrOpt)SSL證書路徑
enable = False	(BoolOpt)keystone eventlet 服務器是否支持SSL的開關
key_size = 1024	(IntOpt)SSL密鑰長度（單位：bit）
keyfile = /etc/keystone/ssl/private/keystonekey.pem	(StrOpt)SSL密鑰文件路徑
valid_days = 3650	(IntOpt)數字證書有效期
關於RPC的配置
[DEFAULT]
allowed_rpc_exception_modules = oslo.messaging.exceptions, nova.exception, cinder.exception, exceptions	(ListOpt)Modules of exceptions that are permitted to berecreated upon receiving exception data from an rpc call.
關於amqp的配置
[DEFAULT]
amqp_auto_delete = False	(BoolOpt) 自動刪除amqp中的隊列
amqp_durable_queues = False	(BoolOpt) 在amqp中使用持久隊列
control_exchange = openstack	(StrOpt) The default exchange under which topics are scoped. May be overridden by an exchange name specified in the transport_url option.
default_publisher_id = None	(StrOpt)Default publisher_id for outgoing notifications
notification_driver = []	(MultiStrOpt)Driver or drivers to handle sending notifications.
notification_topics = notifications	(ListOpt)AMQP topic used for OpenStack notifications
rpc_backend = rabbit	(StrOpt)The messaging driver to use, defaults to rabbit. Other drivers include qpid and zmq.
rpc_cast_timeout = 30	(IntOpt)Seconds to wait before a cast expires (TTL). Only supported by impl_zmq.
rpc_conn_pool_size = 30	(IntOpt)Size of RPC connection pool
rpc_response_timeout = 60	(IntOpt)Seconds to wait for a response from a call.
rpc_thread_pool_size = 64	(IntOpt)Size of RPC greenthread pool.
transport_url = None	(StrOpt)A URL representing the messaging driver to use and its full configuration. If not set, we fall back to the rpc_backend option and driver specific configuration
關於qpid的配置
[DEFAULT]
qpid_heartbeat = 60	(IntOpt)Seconds between connection keepalive heartbeats.
qpid_hostname = localhost	(StrOpt)Qpid broker hostname.
qpid_hosts = $qpid_hostname:$qpid_port	(ListOpt)Qpid HA cluster host:port pairs.
qpid_password =	(StrOpt)Password for Qpid connection.
qpid_port = 5672	(IntOpt)Qpid broker port.
qpid_protocol = tcp	(StrOpt)Transport to use, either 'tcp' or 'ssl'.
qpid_sasl_mechanisms =	(StrOpt) Space separated list of SASL mechanisms to use for auth.
qpid_tcp_nodelay = True	(BoolOpt)Whether to disable the Nagle algorithm
qpid_topology_version = 1	(IntOpt)The qpid topology version to use. Version 1 is what was originally used by impl_qpid. Version 2 includes some backwards-incompatible changes that allow broker federation to work. Users should update to version 2 when they are able to take everything down, as it requires a clean break.
qpid_username =	(StrOpt) qpid連接的用戶名
關於rabbit的配置
[DEFAULT]
fake_rabbit = False	(BoolOpt) If passed, use a fake RabbitMQ provider.
kombu_reconnect_delay = 1.0	(FloatOpt) How long to wait before reconnecting in response to an AMQP consumer cancel notification
kombu_ssl_ca_certs =	(StrOpt) SSL certification authority file (valid only if SSL enabled)
kombu_ssl_certfile =	(StrOpt) SSL cert file (valid only if SSL enabled)
kombu_ssl_keyfile =	(StrOpt) SSL key file (valid only if SSL enabled)
kombu_ssl_version =	(StrOpt) SSL version to use (valid only if SSL enabled). valid values are TLSv1, SSLv23 and SSLv3. SSLv2 may be available on some distributions
rabbit_ha_queues = False	(BoolOpt) Use HA queues in RabbitMQ (x-ha-policy: all). If you change this option, you must wipe the RabbitMQ database.
rabbit_host = localhost	(StrOpt)The RabbitMQ broker address where a single node is used.
rabbit_hosts = $rabbit_host:$rabbit_port	(ListOpt)RabbitMQ HA cluster host:port pairs.
rabbit_login_method = AMQPLAIN	(StrOpt)the RabbitMQ login method
rabbit_max_retries = 0	(IntOpt)Maximum number of RabbitMQ connection retries. Default is 0 (infinite retry count).
rabbit_password = guest	(StrOpt)The RabbitMQ password
rabbit_port = 5672	(IntOpt)The RabbitMQ broker port where a single node is used.
rabbit_retry_backoff = 2	(IntOpt)How long to backoff for between retries when connecting to RabbitMQ
rabbit_retry_interval = 1	(IntOpt)How frequently to retry connecting with RabbitMQ
rabbit_use_ssl = False	(BoolOpt) Connect over SSL for RabbitMQ
rabbit_userid = guest	(StrOpt)RabbitMQ用戶id
rabbit_virtual_host = /	(StrOpt)RabbitMQ虛擬主機
關於zeromq的配置
[DEFAULT]
rpc_zmq_bind_address = *	(StrOpt) ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP. The "host" option should point or resolve to this address.
rpc_zmq_contexts = 1	(IntOpt) Number of ZeroMQ contexts, defaults to 1
rpc_zmq_host = oslo	(StrOpt) Name of this node. Must be a valid hostname, FQDN, or IP address. Must match "host" option, if running Nova.
rpc_zmq_ipc_dir = /var/run/openstack	(StrOpt) Directory for holding IPC sockets
rpc_zmq_matchmaker = oslo.messaging._drivers.matchmaker.MatchMakerLocalhost	(StrOpt) MatchMaker driver
rpc_zmq_port = 9501	(IntOpt) ZeroMQ receiver listening port
rpc_zmq_topic_backlog = None	(IntOpt)Maximum number of ingress messages to locally buffer per topic. Default is unlimited
關於redis的配置
[DEFAULT]
host = 127.0.0.1	(StrOpt) Host to locate redis
matchmaker_heartbeat_freq = 300	(IntOpt) Heartbeat frequency
matchmaker_heartbeat_ttl = 600	(IntOpt) Heartbeat time-to-live
password = None	(StrOpt) Password for Redis server (optional).
port = 6379	(IntOpt) Use this port to connect to redis host
[matchmaker_ring]
ringfile = /etc/oslo/matchmaker_ring.json	(StrOpt) Matchmaker ring file (JSON).
關於記錄日志的配置
[DEFAULT]
default_log_levels = amqp=WARN, amqplib=WARN, boto=WARN, qpid=WARN, sqlalchemy=WARN, suds=INFO, iso8601=WARN, requests.packages.urllib3.connectionpool=WARN	(ListOpt)List of logger=LEVEL pairs
instance_format = "[instance: %(uuid)s] "	(StrOpt)If an instance is passed with the log message, format it like this
instance_uuid_format = "[instance: %(uuid)s] "	(StrOpt)If an instance UUID is passed with the log message, format it like this
log_config_append = None	(StrOpt)The name of logging configuration file. It does not disable existing loggers, but just appends specified logging configuration to any other existing logging options. Please see the Python logging module documentation for details on logging configuration files.
log_date_format = %Y-%m-%d %H:%M:%S	(StrOpt)Format string for %%(asctime)s in log records. Default: %(default)s
log_dir = None	(StrOpt) (Optional) The base directory used for relative -- log-file paths
log_file = None	(StrOpt)(Optional) Name of log file to output to. If no default is set, logging will go to stdout.
log_format = None	(StrOpt)DEPRECATED. A logging.Formatter log message format string which may use any of the available logging.LogRecord attributes. This option is deprecated. Please use logging_context_format_string and logging_default_format_string instead.
logging_context_format_string = %(asctime)s. %(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s %(message)s	(StrOpt) Format string to use for log messages with context
logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d	(StrOpt) Data to append to log format when level is DEBUG
logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s %(message)s	(StrOpt) Format string to use for log messages without context
logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s	(StrOpt) Prefix each line of exception output with this format
syslog_log_facility = LOG_USER	(StrOpt) Syslog facility to receive log lin
use_stderr = True	(BoolOpt) Log output to standard error
use_syslog = False	(BoolOpt) Use syslog for logging. Existing syslog format is DEPRECATED during I, and then will be changed in J to honor RFC5424
use_syslog_rfc_format = False	(BoolOpt) (Optional) Use syslog rfc5424 format for logging. If enabled, will add APP-NAME (RFC5424) before the MSG part of the syslog message. The old format without APP-NAME is deprecated in I, and will be removed in J.
verbose = False	(BoolOpt) Print more verbose output (set logging level to INFO instead of default WARNING level).
以下為其余各個段落的說明
[assignment]
dirver	(StrOpt)assignment后端驅動
caching	(BoolOpt)緩存asignment數據，除非啟用全局緩存，否則本選項無效
cache_time	(IntOpt)緩存assignment數據的時間（單位：秒），除非啟用全局緩存，否則本選項無效
list_limit	(IntOpt)返回的assignment集合中數據項的容量
[auth]
methods	(ListOpt)默認的認證方法
password	(StrOpt)Password認證插件模塊
token	(StrOpt)Token認證插件模塊
external	(StrOpt)External(REMOTE_USER)認證插件模塊
[cache]
backend	(StrOpt) Dogpile.cache后端模塊，在生產部署模式中推薦使用dogpile.cache.memcache或dog -pile.cache.redis，小規模負載情況下可以使用dogpile.cache.memory后端
backend_argument	(MultiStrOpt)傳給dogpile.cache后端模塊的參數，參考格式：“名：值“
config_prefix	(StrOpt)為緩沖域建立配置字典時的前綴，除非有相同配置名稱dogpile.cache域，否則本選項不需要更改提供的默認值
debug_cache_backend	(BoolOpt)額外的緩存后端調試，通常為False
enabled	(BoolOpt)全局緩存開關
expiration_time	(IntOpt)dogpile.cache域中的全局緩存時間（單位：秒），適用於任何沒有明確標明緩存時間的非全局緩存項。
proxies	(ListOpt)可以引入的能夠影響dogpile.cache后端工作的代理類，
use_key_mangler	(BoolOpt)使用key-mangling function (如：SHA-1)來確保緩存鍵的長度統一，推薦設為True
[catalog] Keystone提供兩種類型的目錄服務，一種是基於數據庫的，一種是基於文件的，二者使用的驅動不同，不可混用。
template_file = default_catalog.templates	(StrOpt)指定目錄模板文件
driver = keystone.catalog.backends.sql.Catalog	(StrOpt)目錄后端驅動，還有keystone.catalog.backends.templated.Catalog
list_limit = None	(IntOpt)一次返回的目錄集合容量
[credential]
driver	(StrOpt)Credential后端驅動
[database]
sqlite_db	(StrOpt)使用SQLite的文件名
backend	(StrOpt)用於數據庫的后端
connection	(StrOpt)連接至指定數據庫的SQLAlchemy連接字符串
slave_connection
mysql_sql_mode	(StrOpt)MYSQL會話使用的SQL模式，該設置覆寫數據庫服務器處的設置，使用 數據庫服務器自帶的SQL模式，這里置空不填任何值
idle_timeout	(IntOpt)重復空閑sql連接時的間隔
min_pool_size	(IntOpt)連接池的最小規模
max_pool_size	(IntOpt)連接池的最大規模
max_retries	(IntOpt)啟動階段最大數據庫連接重試次數，-1代表無窮次重試
retry_interval	(IntOpt)重試啟動sql連接時的間隔
max_overflow	(IntOpt)與sqlalchemy中的max_overflow相對應
connection_debug	(IntOpt)SQL調試信息的復雜程度，0是什么都不反饋，100是什么都提示
connection_trace	(BoolOpt)將python的棧蹤跡(stack trace)添加到SQL中作為注釋
pool_timeout	(IntOpt)與sqlalchemy中的pool_timeout相對應
use_db_reconnect	(BoolOpt)在連接丟失時啟用實驗性質的數據庫重連
db_retry_interval	(IntOpt)數據庫重連間隔（單位：秒）
db_inc_retry_interval	(BoolOpt)是否啟用數據庫重連增量間隔
db_max_retry_interval	(IntOpt)重連增量間隔的上限
db_max_retries	(IntOpt)最大數據庫連接重試次數（-1為無窮次）
[federation]
assertion_prefix	(StrOpt)從環境中篩選斷言參數時使用的值
driver	(StrOpt)keystone聯盟后端驅動
[identity]
default_domain_id	(StrOpt)所有Identity API v2請求都使用的domain，專為支持v2用戶保留，v3 API無法刪除
domain_config_dir	(StrOpt)下一個選項為True時,keystone用來定位domain-specific的身份配置文件
domain_specific_drivers_enabled	(BoolOpt)是否允許所有domain中的一部分擁有自己的identity驅動
driver	(StrOpt)keystone Identity后端驅動
list_limit	(IntOpt)keystone服務器返回的數據項容量
max_password_length	(IntOpt)用戶密碼長度上限
[kvs]
backends	(ListOpt)額外的dogpile.cache后端模塊
config_prefix	(StrOpt)為KVS域創建配置字典時的前綴，除非有另一個配置名稱相同的dogpile.cache域，否則不推薦修改默認值
default_lock_timeout	(IntOpt)分布式加鎖的超時限制
enable_key_mangler	(BoolOpt)推薦設置為真，同[cache]的use_key_mangler
[memcache]
max_compare_and_set_retry	(IntOpt)使用令牌memcache后端的compare-and-set時進行嘗試的次數
servers	(ListOpt)"host:port"格式的memcache服務器
[oauth1]
access_token_duration	(IntOpt)OAuth訪問令牌的有效期（單位：秒）
driver	(StrOpt)keystone credential后端驅動
request_token_duration	(IntOpt)OAuth請求令牌的有效期（單位：秒）
[os_inherit]
enabled	(BoolOpt)從擁有的domain向項目繼承角色指派可以有選擇的開啟
[revoke]
caching	(BoolOpt)是否開啟緩存撤銷事件，只有在全局緩存開啟后才有效
driver	(StrOpt)為持續的撤銷事件實現的后端驅動
expiration_buffer	(IntOpt)在一個撤銷事件從該后端刪除前，該值（單位：秒）將被增加到token的失效期上
[stats]
driver	(StrOpt) Keystone stats后端驅動
[token]
bind	(ListOpt)需要與令牌綁定的外部認證機制，如kerberos, x.509等
cache_time	(IntOpt)緩存令牌的時間（單位：秒）
caching	(BoolOpt)是否緩存令牌，只有在全局緩存啟用后才有效
driver	(StrOpt)令牌持久存儲后端驅動
enforce_token_bind	(StrOpt)令牌綁定信息提供給keystone的執行策略，可選值有disabled, permissive, strict, required或特別要求綁定的模式，如kerberos, x.509等
expiration	(IntOpt)令牌有效期限（單位：秒）
provider	(StrOpt)控制着令牌的構造，驗證，撤銷等操作，包括pki, uuid等提供者
revocation_cache_time	(IntOpt)緩存撤銷列表的時間（單位：秒）和一旦撤銷擴展被啟用時的撤銷事件。除非全局緩存啟用否則本設置無效
revoke_by_id	(BoolOpt)通過令牌ID撤銷令牌，設置為True時允許多種形式的枚舉令牌。建議只在使用撤銷擴展且后端驅動不是KVS時禁用該選項。
[trust]
driver	(StrOpt)信任后端驅動
enabled	(BoolOpt)是否啟用代理和身份扮演功能
[LDAP]
alias_dereferencing = default	(StrOpt) The LDAP dereferencing option for queries. This can be either "never", "searching", "always", "finding" or "default". The "default" option falls back to using default dereferencing configured by your ldap.conf.
allow_subtree_delete = False	(BoolOpt) allow deleting subtrees.
chase_referrals = None	(BoolOpt) Override the system's default referral chasing behavior for queries.
dumb_member = cn=dumb,dc=nonexistent	(StrOpt) DN of the "dummy member" to use when "use_dumb_member" is enabled.
group_additional_attribute_mapping =	(ListOpt) Additional attribute mappings for groups. Attribute mapping format is <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry and user_attr is the Identity API attribute.
group_allow_create = True	(BoolOpt) Allow group creation in LDAP backend.
group_allow_delete = True	(BoolOpt) Allow group deletion in LDAP backend
group_allow_update = True	(BoolOpt) Allow group update in LDAP backend
group_attribute_ignore =	(ListOpt) List of attributes stripped off the group on update.
group_desc_attribute = description	(StrOpt) LDAP attribute mapped to group description
group_filter = None	(StrOpt) LDAP search filter for groups
group_id_attribute = cn	(StrOpt) LDAP attribute mapped to group id.
group_member_attribute = member	(StrOpt) LDAP attribute mapped to show group membership.
group_name_attribute = ou	(StrOpt) LDAP attribute mapped to group name.
group_objectclass = groupOfNames	(StrOpt) LDAP objectClass for groups.
group_tree_dn = None	(StrOpt) Search base for groups.
page_size = 0	(IntOpt) Maximum results per page; a value of zero ("0") disables paging
password = None	(StrOpt) Password for the BindDN to query the LDAP server.
query_scope = one	(StrOpt) The LDAP scope for queries, this can be either "one" (onelevel/singleLevel) or "sub" (subtree/wholeSubtree).
role_additional_attribute_mapping =	(ListOpt) Additional attribute mappings for roles. Attribute mapping format is <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry and user_attr is the Identity API attribute
role_allow_create = True	(BoolOpt) Allow role creation in LDAP backend.
role_allow_delete = True	(BoolOpt) Allow role deletion in LDAP backend.
role_allow_update = True	(BoolOpt) Allow role update in LDAP backend.
role_attribute_ignore =	(ListOpt) List of attributes stripped off the role on update.
role_filter = None	(StrOpt) LDAP search filter for roles.
role_id_attribute = cn	(StrOpt) LDAP attribute mapped to role id.
role_member_attribute = roleOccupant	(StrOpt) LDAP attribute mapped to role membership.
role_name_attribute = ou	(StrOpt) LDAP attribute mapped to role name.
role_objectclass = organizationalRole	(StrOpt) LDAP objectClass for roles.
role_tree_dn = None	(StrOpt) Search base for roles.
suffix = cn=example,cn=com	(StrOpt) LDAP server suffix
tenant_additional_attribute_mapping =	(ListOpt) Additional attribute mappings for projects. Attribute mapping format is <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry and user_attr is the Identity API attribute.
tenant_allow_create = True	(BoolOpt) Allow tenant creation in LDAP backend.
tenant_allow_delete = True	(BoolOpt) Allow tenant deletion in LDAP backend.
tenant_allow_update = True	(BoolOpt) Allow tenant update in LDAP backend.
tenant_attribute_ignore =	(ListOpt) List of attributes stripped off the project on update.
tenant_desc_attribute = description	(StrOpt) LDAP attribute mapped to project description.
tenant_domain_id_attribute = businessCategory	(StrOpt) LDAP attribute mapped to project domain_id.
tenant_enabled_attribute = enabled	(StrOpt) LDAP attribute mapped to project enabled
tenant_enabled_emulation = False	(BoolOpt) If True, Keystone uses an alternative method to determine if a project is enabled or not by checking if they are a member of the "tenant_enabled_emulation_dn" group.
tenant_enabled_emulation_dn = None	(StrOpt) DN of the group entry to hold enabled projects when using enabled emulation.
tenant_filter = None	(StrOpt) LDAP search filter for projects.
tenant_id_attribute = cn	(StrOpt) LDAP attribute mapped to project id.
tenant_member_attribute = member	(StrOpt) LDAP attribute mapped to project membership for user.
tenant_name_attribute = ou	(StrOpt) LDAP attribute mapped to project name.
tenant_objectclass = groupOfNames	(StrOpt) LDAP objectClass for projects.
tenant_tree_dn = None	(StrOpt) Search base for projects
tls_cacertdir = None	(StrOpt) CA certificate directory path for communicating with LDAP servers.
tls_cacertfile = None	(StrOpt) CA certificate file path for communicating with LDAP servers.
tls_req_cert = demand	(StrOpt) valid options for tls_req_cert are demand, never, and allow.
url = ldap://localhost	(StrOpt) URL for connecting to the LDAP server
use_dumb_member = False	(BoolOpt) If true, will add a dummy member to groups. This is required if the objectclass for groups requires the "member" attribute.
use_tls = False	(BoolOpt) Enable TLS for communicating with LDAP servers.
user = None	(StrOpt) User BindDN to query the LDAP server.
user_additional_attribute_mapping =	(ListOpt) List of additional LDAP attributes used for mapping Additional attribute mappings for users. Attribute mapping format is <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry and user_attr is the Identity API attribute.
user_allow_create = True	(BoolOpt) Allow user creation in LDAP backend
user_allow_delete = True	(BoolOpt) Allow user deletion in LDAP backend
user_allow_update = True	(BoolOpt) Allow user updates in LDAP backend
user_attribute_ignore = default_project_id, tenants	(ListOpt) List of attributes stripped off the user on update
user_default_project_id_attribute = None	(StrOpt) LDAP attribute mapped to default_project_id for users.
user_enabled_attribute = enabled	(StrOpt) LDAP attribute mapped to user enabled flag
user_enabled_default = True	(StrOpt) Default value to enable users. This should match an appropriate int value if the LDAP server uses nonboolean (bitmask) values to indicate if a user is enabled or disabled. If this is not set to "True"the typical value is "512". This is typically used when "user_enabled_attribute = userAccountControl".
user_enabled_emulation = False	(BoolOpt) If True, Keystone uses an alternative method to determine if a user is enabled or not by checking if they are a member of the "user_enabled_emulation_dn" gro
user_enabled_emulation_dn = None	(StrOpt) DN of the group entry to hold enabled users when using enabled emulation.
user_enabled_mask = 0	(IntOpt) Bitmask integer to indicate the bit that the enabled value is stored in if the LDAP server represents "enabled" as a bit on an integer rather than a boolean. A value of "0" indicates the mask is not used. If this is not set to "0" the typical value is "2". This is typically used when "user_enabled_attribute = userAccountControl".
user_filter = None	(StrOpt) LDAP search filter for users.
user_id_attribute = cn	(StrOpt) LDAP attribute mapped to user id.
user_mail_attribute = email	(StrOpt) LDAP attribute mapped to user email.
user_name_attribute = sn	(StrOpt) LDAP attribute mapped to user name.
user_objectclass = inetOrgPerson	(StrOpt) LDAP objectClass for users.
user_pass_attribute = userPassword	(StrOpt) LDAP attribute mapped to password.
user_tree_dn = None	(StrOpt) Search base for users.