Keystone Ldap

OpenStack Charmers
Cloud

Architecture:

Base version:

Channel	Revision	Published	Runs on
latest/edge	98	18 Nov 2024	Ubuntu 24.04 Ubuntu 23.10 Ubuntu 23.04 Ubuntu 22.10 Ubuntu 22.04 Ubuntu 20.04
latest/edge	97	18 Nov 2024	Ubuntu 24.04 Ubuntu 23.10 Ubuntu 23.04 Ubuntu 22.10 Ubuntu 22.04 Ubuntu 20.04
latest/edge	96	18 Nov 2024	Ubuntu 24.04 Ubuntu 23.10 Ubuntu 23.04 Ubuntu 22.10 Ubuntu 22.04 Ubuntu 20.04
latest/edge	95	18 Nov 2024	Ubuntu 24.04 Ubuntu 23.10 Ubuntu 23.04 Ubuntu 22.10 Ubuntu 22.04 Ubuntu 20.04
latest/edge	89	08 Mar 2024	Ubuntu 24.04 Ubuntu 23.10 Ubuntu 23.04 Ubuntu 22.10 Ubuntu 22.04 Ubuntu 20.04
latest/edge	86	08 Aug 2023	Ubuntu 24.04 Ubuntu 23.10 Ubuntu 23.04 Ubuntu 22.10 Ubuntu 22.04 Ubuntu 20.04
latest/edge	83	12 Apr 2023	Ubuntu 24.04 Ubuntu 23.10 Ubuntu 23.04 Ubuntu 22.10 Ubuntu 22.04 Ubuntu 20.04
latest/edge	61	01 Jul 2022	Ubuntu 24.04 Ubuntu 23.10 Ubuntu 23.04 Ubuntu 22.10 Ubuntu 22.04 Ubuntu 20.04
yoga/stable	82	29 Mar 2023	Ubuntu 22.04 Ubuntu 20.04
zed/stable	72	23 Jan 2023	Ubuntu 22.10 Ubuntu 22.04
xena/stable	79	16 Jan 2023	Ubuntu 20.04
wallaby/stable	77	23 Jan 2023	Ubuntu 20.04
victoria/stable	76	23 Jan 2023	Ubuntu 20.04
ussuri/stable	75	23 Jan 2023	Ubuntu 20.04 Ubuntu 18.04
train/candidate	73	28 Nov 2022	Ubuntu 18.04
train/edge	78	16 Jan 2023	Ubuntu 18.04
stein/candidate	73	28 Nov 2022	Ubuntu 18.04
stein/edge	78	16 Jan 2023	Ubuntu 18.04
rocky/candidate	73	28 Nov 2022	Ubuntu 18.04
rocky/edge	78	16 Jan 2023	Ubuntu 18.04
queens/candidate	73	28 Nov 2022	Ubuntu 18.04
queens/edge	78	16 Jan 2023	Ubuntu 18.04
2024.1/candidate	90	24 May 2024	Ubuntu 23.10 Ubuntu 23.04 Ubuntu 22.04
2024.1/candidate	86	24 Jan 2024	Ubuntu 23.10 Ubuntu 23.04 Ubuntu 22.04
2023.2/stable	87	30 Nov 2023	Ubuntu 23.10 Ubuntu 22.04
2023.1/stable	85	14 Jun 2023	Ubuntu 23.04 Ubuntu 22.10 Ubuntu 22.04

Learn to deploy on juju >

Platform:

24.04 23.10 23.04 22.10 22.04 20.04 18.04

Learn about configurations >

domain-name | string

Name of the keystone domain to configure; defaults to the deployed application name.
ldap-config-flags | string

Additional LDAP configuration options. For simple configurations use a comma separated string of key=value pairs. "user_allow_create=False, user_allow_update=False, user_allow_delete=False" For more complex configurations use a json like string with double quotes and braces around all the options and single quotes around complex values. "{user_tree_dn: 'DC=dc1,DC=ad,DC=example,DC=com', user_allow_create: False, user_allow_delete: False}" See the README for more details.

Note: The explicitly defined ldap-* charm config options take precedence over the same LDAP config option also specified in ldap-config-flags.

For example, if the LDAP config query_scope is defined in ldap-query-scope as 'one' and in ldap-config-flags as "{query_scope: 'sub'}" then the config query_scope is set to 'one'.
ldap-group-id-attribute | string

This option sets the LDAP attribute mapped to group IDs in keystone.
ldap-group-member-attribute | string

This option sets the LDAP attribute that indicates user is a member of the group.
ldap-group-members-are-ids | boolean

Enable this option if the members of group object class are keystone user IDs rather than LDAP DNs.
ldap-group-name-attribute | string

This option sets the LDAP attribute mapped to group names in keystone.
ldap-group-objectclass | string

This option sets the LDAP object class for groups.
ldap-group-tree-dn | string

This option sets the search base to use for the groups.
ldap-password | string

Password of the LDAP identity server. For anonymous binding, leave ldap-user and ldap-password empty.
ldap-pool-connection-timeout | int

The connection timeout to use when pooling LDAP connections. A value of -1 means the connection will never timeout.
ldap-pool-retry-max | int

This option allows to set the maximum number of retry attempts to connect to LDAP server before aborting.
ldap-pool-size | int

This option sets the size of LDAP connection pool.
ldap-query-scope | string

This option controls the scope level of data presented through LDAP.
ldap-readonly | boolean

Default: True

LDAP identity server backend readonly to keystone.
ldap-server | string

LDAP server URL for keystone LDAP identity backend.

Examples: ldap://10.10.10.10/ ldaps://10.10.10.10/ ldap://example.com:389,ldaps://ldaps.example.com:636 ldap://active-directory-host.com:3268/ ldaps://active-directory-host.com:3269/

An ldap:// URL will result in mandatory StartTLS usage if either the charm's tls-ca-ldap option has been specified or if the 'certificates' relation is present.
ldap-suffix | string

LDAP server suffix to be used by keystone.
ldap-use-pool | boolean

This option enables LDAP connection pooling.
ldap-user | string

Username (Distinguished Name) used to bind to LDAP identity server. For anonymous binding, leave ldap-user and ldap-password empty.

Example: cn=admin,dc=test,dc=com
ldap-user-enabled-attribute | string

This option sets the LDAP attribute mapped to the user enabled attribute in keystone.
ldap-user-enabled-default | string

The default value to enable users. The LDAP servers can use boolean or bit in the user enabled attribute to indicate if a user is enabled or disabled. If boolean is used by the ldap schema, then the appropriate value for this option is 'True' or 'False'. If bit is used by the ldap schema, this option should match an appropriate integer value based on ldap-user-enabled-mask. Please note the integer value should be specified as a string in quotes. This option is typically used when ldap-user-enabled-attribute is set to 'userAccountControl'.

Example: Configuration options to use for ldap schema with userAccountControl as control attribute, uses bit 1 in control attribute to indicate enablement.

ldap-user-enabled-attribute = "userAccountControl" ldap-user-enabled-mask = 2 ldap-user-enabled-default = "512"

ldap-user-enabled-default should be set to integer value that represents a user being enabled. For Active Directory, 512 represents Normal Account.

For more information on how to set up those config options, please refer to the OpenStack docs on Keystone and LDAP integration at https://docs.openstack.org/keystone/latest/admin/configuration.html#integrate-identity-back-end-with-ldap
ldap-user-enabled-emulation | boolean

If enabled, keystone uses an alternative method to determine if a user is enabled or not by checking if they are a member of the group defined by the ldap-user-enabled_emulation-dn option.
ldap-user-enabled-emulation-dn | string

DN of the group entry to hold enabled users when using enabled emulation. Setting this option has no effect when ldap-user-enabled-emulation is False.
ldap-user-enabled-invert | boolean

Setting this option to True allows LDAP servers to use lock attributes. This option has no effect when ldap-user-enabled-mask or ldap-user-enabled-emulation are in use.
ldap-user-enabled-mask | int

Bitmask integer to select which bit indicates the enabled value if the LDAP server represents enabled as a bit on an integer rather than as a discrete boolean. If the option is set to 0, the mask is not used. This option is typically used when ldap-user-enabled-attribute is set to 'userAccessControl'.
ldap-user-filter | string

This option sets the LDAP search filter to use for the users.
ldap-user-id-attribute | string

This option sets the LDAP attribute mapped to User IDs in keystone.
ldap-user-name-attribute | string

This option sets the LDAP attribute mapped to User names in keystone.
ldap-user-objectclass | string

This option sets the LDAP object class for users.
ldap-user-tree-dn | string

This option sets the search base to use for the users.
tls-ca-ldap | string

This option controls which certificate (or a chain) will be used to connect to an ldap server(s) over TLS. Certificate contents should be either used directly or included via include-file:// An LDAP url should also be considered as ldaps and StartTLS are both valid methods of using TLS (see RFC 4513) with StartTLS using a non-ldaps url which, of course, still requires a CA certificate.