<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Exchange Server">
<!-- converted from rtf -->
<style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; } --></style>
</head>
<body>
<font face="Calibri" size="2"><span style="font-size:11pt;">
<div>Hello,</div>
<div> </div>
<div><u>Summary:</u></div>
<div> </div>
<div>I am attempting to configure the Keystone H-2 release to use an Enterprise Directory as the Identity backend and SQL as the Assignment backend (without TLS for now). I first installed Keystone H-2 on an Ubuntu vm server and got it up and running using
a local SQL database for both the Identity and Assignment backend. I then changed the [identity] section to use “driver = keystone.identity.backends.ldap.Identity” as well as attempting to set many of the variables in the [ldap] section of file keystone.conf.
I did not expect it to work right off the bat, but I am getting no error information in the keystone.log file so I am trying to figure out how to debug what is failing. I also have tcpdump on and it is not recording any requests for the ldap port:</div>
<div> </div>
<div>        tcpdump -i eth0 host ldap. mycompany.com -vv</div>
<div> </div>
<div><u>Details:</u></div>
<div> </div>
<div><u>The following </u><u>non-secure </u><u>python test code works to test the LDAP server connection:</u></div>
<div> </div>
<div style="padding-left:36pt;">host = 'ldap://ldap.mycompany.com:389'</div>
<div style="padding-left:36pt;">base = 'o= mycompany.com'</div>
<div style="padding-left:36pt;">scope = ldap.SCOPE_SUBTREE</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;">def get_user_public_data(userEmail):</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;">    ldapBound = False</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;">    try:</div>
<div style="padding-left:36pt;">        attrs = ['cn', 'mail', 'uid']</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;">        ldap_client = ldap.initialize(host)</div>
<div style="padding-left:36pt;">        r = ldap_client.search_s(base, scope, '(uid=%s)' % userEmail, attrs)</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;">        for dn, entry in r:</div>
<div style="padding-left:36pt;">            print 'dn=', repr(dn)</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;">            for k in entry.keys():</div>
<div style="padding-left:36pt;">                print '\t', k, '=', entry[k]</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;">        return "LDAP get public data completed"</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;">    except ldap.INVALID_CREDENTIALS, errMsg:</div>
<div style="padding-left:36pt;">        return 'Wrong username ili password. Error: %s' % errMsg</div>
<div style="padding-left:36pt;">    except ldap.SERVER_DOWN, errMsg:</div>
<div style="padding-left:36pt;">        return 'AD server not awailable. Error: %s' % errMsg</div>
<div style="padding-left:36pt;">    except ldap.LDAPError, errMsg:</div>
<div style="padding-left:36pt;">        return "Couldn't Connect. Error: %s" % errMsg</div>
<div style="padding-left:36pt;">    finally:</div>
<div style="padding-left:36pt;">        if ldapBound:</div>
<div style="padding-left:36pt;">            ldap_client.unbind_s()</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;">print ('get_user_public_data: ' + get_user_public_data('mark.m.miller@ mycompany.com' ))</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;">sys.exit(0)</div>
<div style="padding-left:36pt;"> </div>
<div><u>The following</u><u> secure</u><u> python test code also works:</u></div>
<div> </div>
<div style="padding-left:36pt;">import sys</div>
<div style="padding-left:36pt;">import ldap</div>
<div style="padding-left:36pt;">import getpass</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;">host = 'ldaps://ldap. mycompany.com:636'</div>
<div style="padding-left:36pt;">base = 'o= mycompany.com'</div>
<div style="padding-left:36pt;">scope = ldap.SCOPE_SUBTREE</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;">binduser = "cn=KeystoneDevUser, ou=Applications, o= mycompany.com"</div>
<div style="padding-left:36pt;">bindpw = "secretword;"</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;">def get_user_public_data(userEmail):</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;">    ldapBound = False</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;">    try:</div>
<div style="padding-left:36pt;">        # build a client</div>
<div style="padding-left:36pt;">#        ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT,ldap.OPT_X_TLS_DEMAND)</div>
<div style="padding-left:36pt;">        ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, "d:/etc/ssl/certs/hpca2ssG2_ns.cer")</div>
<div style="padding-left:36pt;">#        ldap.set_option( ldap.OPT_DEBUG_LEVEL, 255 )</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;">        ldap_client = ldap.initialize(host)</div>
<div style="padding-left:36pt;">        ldap_client.protocol_version = ldap.VERSION3</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;">        # perform a synchronous bind</div>
<div style="padding-left:36pt;">        ldap_client.simple_bind_s(binduser,bindpw)</div>
<div style="padding-left:36pt;">        ldapBound = True</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;">        filter = ('(uid=%s)' % userEmail)</div>
<div style="padding-left:36pt;">        attrs = ['cn', 'mail', 'uid', ' employeeStatus']</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;">        r = ldap_client.search_s(base, scope, filter, attrs)</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;">        for dn, entry in r:</div>
<div style="padding-left:36pt;">            print 'dn=', repr(dn)</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;">            for k in entry.keys():</div>
<div style="padding-left:36pt;">                print '\t', k, '=', entry[k]</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;">        return "LDAP get public data completed"</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;">    except ldap.INVALID_CREDENTIALS, errMsg:</div>
<div style="padding-left:36pt;">        return 'Wrong username ili password. Error: %s' % errMsg</div>
<div style="padding-left:36pt;">    except ldap.SERVER_DOWN, errMsg:</div>
<div style="padding-left:36pt;">        return 'AD server not awailable. Error: %s' % errMsg</div>
<div style="padding-left:36pt;">    except ldap.LDAPError, errMsg:</div>
<div style="padding-left:36pt;">        return "Couldn't Connect. Error: %s" % errMsg</div>
<div style="padding-left:36pt;">    finally:</div>
<div style="padding-left:36pt;">        if ldapBound:</div>
<div style="padding-left:36pt;">            ldap_client.unbind_s()</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;">print ('get_user_public_data: ' + get_user_public_data('mark.m.miller@ mycompany.com' ))</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;">sys.exit(0)</div>
<div style="padding-left:36pt;"> </div>
<div><u>Here is my keystone.conf file:</u></div>
<div> </div>
<div style="padding-left:36pt;">[DEFAULT]</div>
<div style="padding-left:36pt;"># A "shared secret" between keystone and other openstack services</div>
<div style="padding-left:36pt;">admin_token = 012345SECRET99TOKEN012345</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;"># The IP address of the network interface to listen on</div>
<div style="padding-left:36pt;">bind_host = 0.0.0.0</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;"># The port number which the public service listens on</div>
<div style="padding-left:36pt;">public_port = 5000</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;"># The port number which the public admin listens on</div>
<div style="padding-left:36pt;">admin_port = 35357</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;"># The base endpoint URLs for keystone that are advertised to clients</div>
<div style="padding-left:36pt;"># (NOTE: this does NOT affect how keystone listens for connections)</div>
<div style="padding-left:36pt;">public_endpoint = http://localhost:%(public_port)s/</div>
<div style="padding-left:36pt;">admin_endpoint = http://localhost:%(admin_port)s/</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;"># The port number which the OpenStack Compute service listens on</div>
<div style="padding-left:36pt;">compute_port = 8774</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;"># Path to your policy definition containing identity actions</div>
<div style="padding-left:36pt;">policy_file = policy.json</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;"># Rule to check if no matching policy definition is found</div>
<div style="padding-left:36pt;"># FIXME(dolph): This should really be defined as [policy] default_rule</div>
<div style="padding-left:36pt;">policy_default_rule = admin_required</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;"># Role for migrating membership relationships</div>
<div style="padding-left:36pt;"># During a SQL upgrade, the following values will be used to create a new role</div>
<div style="padding-left:36pt;"># that will replace records in the user_tenant_membership table with explicit</div>
<div style="padding-left:36pt;"># role grants.  After migration, the member_role_id will be used in the API</div>
<div style="padding-left:36pt;"># add_user_to_project, and member_role_name will be ignored.</div>
<div style="padding-left:36pt;">member_role_id = 9fe2ff9ee4384b1894a90878d3e92bab</div>
<div style="padding-left:36pt;">member_role_name = _member_</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;"># enforced by optional sizelimit middleware (keystone.middleware:RequestBodySizeLimiter)</div>
<div style="padding-left:36pt;">max_request_body_size = 114688</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;"># limit the sizes of user & tenant ID/names</div>
<div style="padding-left:36pt;">max_param_size = 64</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;"># similar to max_param_size, but provides an exception for token values</div>
<div style="padding-left:36pt;"># max_token_size = 8192</div>
<div style="padding-left:36pt;">max_token_size = 32768</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;"># === Logging Options ===</div>
<div style="padding-left:36pt;"># Print debugging output</div>
<div style="padding-left:36pt;"># (includes plaintext request logging, potentially including passwords)</div>
<div style="padding-left:36pt;">debug = True</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;"># Print more verbose output</div>
<div style="padding-left:36pt;">verbose = True</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;"># Name of log file to output to. If not set, logging will go to stdout.</div>
<div style="padding-left:36pt;">log_file = keystone.log</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;"># The directory to keep log files in (will be prepended to --logfile)</div>
<div style="padding-left:36pt;">log_dir = /var/log/keystone</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;"># Use syslog for logging.</div>
<div style="padding-left:36pt;">use_syslog = False</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;"># syslog facility to receive log lines</div>
<div style="padding-left:36pt;"># syslog_log_facility = LOG_USER</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;"># If this option is specified, the logging configuration file specified is</div>
<div style="padding-left:36pt;"># used and overrides any other logging options specified. Please see the</div>
<div style="padding-left:36pt;"># Python logging module documentation for details on logging configuration</div>
<div style="padding-left:36pt;"># files.</div>
<div style="padding-left:36pt;"># log_config = logging.conf</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;"># A logging.Formatter log message format string which may use any of the</div>
<div style="padding-left:36pt;"># available logging.LogRecord attributes.</div>
<div style="padding-left:36pt;">log_format = %(asctime)s %(levelname)8s [%(name)s] %(message)s</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;"># Format string for %(asctime)s in log records.</div>
<div style="padding-left:36pt;">log_date_format = %Y-%m-%d %H:%M:%S</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;"># onready allows you to send a notification when the process is ready to serve</div>
<div style="padding-left:36pt;"># For example, to have it notify using systemd, one could set shell command:</div>
<div style="padding-left:36pt;"># onready = systemd-notify --ready</div>
<div style="padding-left:36pt;"># or a module with notify() method:</div>
<div style="padding-left:36pt;"># onready = keystone.common.systemd</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;">[sql]</div>
<div style="padding-left:36pt;"># The SQLAlchemy connection string used to connect to the database</div>
<div style="padding-left:36pt;"># connection = sqlite:///keystone.db</div>
<div style="padding-left:36pt;">connection = mysql://keystonedbadmin:password@15.253.58.141/keystone</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;"># the timeout before idle sql connections are reaped</div>
<div style="padding-left:36pt;">idle_timeout = 200</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;">[identity]</div>
<div style="padding-left:36pt;">driver = keystone.identity.backends.ldap.Identity</div>
<div style="padding-left:36pt;"># driver = keystone.identity.backends.sql.Identity</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;"># This references the domain to use for all Identity API v2 requests (which are</div>
<div style="padding-left:36pt;"># not aware of domains). A domain with this ID will be created for you by</div>
<div style="padding-left:36pt;"># keystone-manage db_sync in migration 008.  The domain referenced by this ID</div>
<div style="padding-left:36pt;"># cannot be deleted on the v3 API, to prevent accidentally breaking the v2 API.</div>
<div style="padding-left:36pt;"># There is nothing special about this domain, other than the fact that it must</div>
<div style="padding-left:36pt;"># exist to order to maintain support for your v2 clients.</div>
<div style="padding-left:36pt;">default_domain_id = default</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;">[credential]</div>
<div style="padding-left:36pt;">driver = keystone.credential.backends.sql.Credential</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;">[trust]</div>
<div style="padding-left:36pt;"># driver = keystone.trust.backends.sql.Trust</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;"># delegation and impersonation features can be optionally disabled</div>
<div style="padding-left:36pt;"># enabled = True</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;">[os_inherit]</div>
<div style="padding-left:36pt;"># role-assignment inheritance to projects from owning domain can be</div>
<div style="padding-left:36pt;"># optionally enabled</div>
<div style="padding-left:36pt;"># enabled = False</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;">[catalog]</div>
<div style="padding-left:36pt;"># dynamic, sql-based backend (supports API/CLI-based management commands)</div>
<div style="padding-left:36pt;">driver = keystone.catalog.backends.sql.Catalog</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;"># static, file-based backend (does *NOT* support any management commands)</div>
<div style="padding-left:36pt;"># driver = keystone.catalog.backends.templated.TemplatedCatalog</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;">template_file = default_catalog.templates</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;">[token]</div>
<div style="padding-left:36pt;"># Provides token persistence.</div>
<div style="padding-left:36pt;">driver = keystone.token.backends.sql.Token</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;"># Controls the token construction, validation, and revocation operations.</div>
<div style="padding-left:36pt;"># provider = keystone.token.providers.pki.Provider</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;"># Amount of time a token should remain valid (in seconds)</div>
<div style="padding-left:36pt;">expiration = 999986400</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;"># External auth mechanisms that should add bind information to token.</div>
<div style="padding-left:36pt;"># eg kerberos, x509</div>
<div style="padding-left:36pt;"># bind =</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;"># Enforcement policy on tokens presented to keystone with bind information.</div>
<div style="padding-left:36pt;"># One of disabled, permissive, strict, required or a specifically required bind</div>
<div style="padding-left:36pt;"># mode e.g. kerberos or x509 to require binding to that authentication.</div>
<div style="padding-left:36pt;"># enforce_token_bind = permissive</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;">[policy]</div>
<div style="padding-left:36pt;">driver = keystone.policy.backends.sql.Policy</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;">[ec2]</div>
<div style="padding-left:36pt;">driver = keystone.contrib.ec2.backends.kvs.Ec2</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;">[assignment]</div>
<div style="padding-left:36pt;">driver = keystone.assignment.backends.sql.Assignment</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;">[ssl]</div>
<div style="padding-left:36pt;">#enable = True</div>
<div style="padding-left:36pt;">enable = False</div>
<div style="padding-left:36pt;">#certfile = /etc/keystone/pki/certs/ssl_cert.pem</div>
<div style="padding-left:36pt;">#keyfile = /etc/keystone/pki/private/ssl_key.pem</div>
<div style="padding-left:36pt;">#ca_certs = /etc/keystone/pki/certs/cacert.pem</div>
<div style="padding-left:36pt;">#ca_key = /etc/keystone/pki/private/cakey.pem</div>
<div style="padding-left:36pt;">#key_size = 1024</div>
<div style="padding-left:36pt;">#valid_days = 3650</div>
<div style="padding-left:36pt;">#ca_password = None</div>
<div style="padding-left:36pt;">#cert_required = False</div>
<div style="padding-left:36pt;">#cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=localhost</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;">[signing]</div>
<div style="padding-left:36pt;"># Deprecated in favor of provider in the [token] section</div>
<div style="padding-left:36pt;">token_format = UUID</div>
<div style="padding-left:36pt;">#token_format = PKI</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;">#certfile = /etc/keystone/pki/certs/signing_cert.pem</div>
<div style="padding-left:36pt;">#keyfile = /etc/keystone/pki/private/signing_key.pem</div>
<div style="padding-left:36pt;">#ca_certs = /etc/keystone/pki/certs/cacert.pem</div>
<div style="padding-left:36pt;">#ca_key = /etc/keystone/pki/private/cakey.pem</div>
<div style="padding-left:36pt;">#key_size = 2048</div>
<div style="padding-left:36pt;">#valid_days = 3650</div>
<div style="padding-left:36pt;">#ca_password = None</div>
<div style="padding-left:36pt;">#cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;">[ldap]</div>
<div style="padding-left:36pt;">url = "ldap://ldap. mycompany.com:389"</div>
<div style="padding-left:36pt;"># url = "ldaps://ldap. mycompany.com:636"</div>
<div style="padding-left:36pt;">user = "cn=KeystoneDevUser, ou=Applications, o= mycompany.com"</div>
<div style="padding-left:36pt;">password = "secretword;"</div>
<div style="padding-left:36pt;">suffix = "o= mycompany.com"</div>
<div style="padding-left:36pt;"># suffix = cn=example,cn=com</div>
<div style="padding-left:36pt;">use_dumb_member = False</div>
<div style="padding-left:36pt;">allow_subtree_delete = False</div>
<div style="padding-left:36pt;"># dumb_member = cn=dumb,dc=example,dc=com</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;"># Maximum results per page; a value of zero ('0') disables paging (default)</div>
<div style="padding-left:36pt;">page_size = 0</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;"># The LDAP dereferencing option for queries. This can be either 'never',</div>
<div style="padding-left:36pt;"># 'searching', 'always', 'finding' or 'default'. The 'default' option falls</div>
<div style="padding-left:36pt;"># back to using default dereferencing configured by your ldap.conf.</div>
<div style="padding-left:36pt;"># alias_dereferencing = default</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;"># The LDAP scope for queries, this can be either 'one'</div>
<div style="padding-left:36pt;"># (onelevel/singleLevel) or 'sub' (subtree/wholeSubtree)</div>
<div style="padding-left:36pt;"># query_scope = one</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;"># user_tree_dn = ou=Users,dc=example,dc=com</div>
<div style="padding-left:36pt;">user_tree_dn = ou=People,o= mycompany.com</div>
<div style="padding-left:36pt;"># user_filter =</div>
<div style="padding-left:36pt;">user_objectclass = People</div>
<div style="padding-left:36pt;"># user_domain_id_attribute = businessCategory</div>
<div style="padding-left:36pt;"># user_id_attribute = cn</div>
<div style="padding-left:36pt;">user_id_attribute = uid</div>
<div style="padding-left:36pt;">user_name_attribute = cn</div>
<div style="padding-left:36pt;">user_mail_attribute = mail</div>
<div style="padding-left:36pt;">user_pass_attribute = userPassword</div>
<div style="padding-left:36pt;">user_enabled_attribute = employeeStatus</div>
<div style="padding-left:36pt;"># user_enabled_mask = 0</div>
<div style="padding-left:36pt;">user_enabled_default = "Active"</div>
<div style="padding-left:36pt;">user_attribute_ignore = tenant_id,tenants</div>
<div style="padding-left:36pt;">user_allow_create = False</div>
<div style="padding-left:36pt;">user_allow_update = False</div>
<div style="padding-left:36pt;">user_allow_delete = False</div>
<div style="padding-left:36pt;">user_enabled_emulation = False</div>
<div style="padding-left:36pt;"># user_enabled_emulation_dn =</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;"># tenant_tree_dn = ou=Projects,dc=example,dc=com</div>
<div style="padding-left:36pt;"># tenant_filter =</div>
<div style="padding-left:36pt;"># tenant_objectclass = groupOfNames</div>
<div style="padding-left:36pt;"># tenant_domain_id_attribute = businessCategory</div>
<div style="padding-left:36pt;"># tenant_id_attribute = cn</div>
<div style="padding-left:36pt;"># tenant_member_attribute = member</div>
<div style="padding-left:36pt;"># tenant_name_attribute = ou</div>
<div style="padding-left:36pt;"># tenant_desc_attribute = desc</div>
<div style="padding-left:36pt;"># tenant_enabled_attribute = enabled</div>
<div style="padding-left:36pt;"># tenant_attribute_ignore =</div>
<div style="padding-left:36pt;"># tenant_allow_create = True</div>
<div style="padding-left:36pt;"># tenant_allow_update = True</div>
<div style="padding-left:36pt;"># tenant_allow_delete = True</div>
<div style="padding-left:36pt;"># tenant_enabled_emulation = False</div>
<div style="padding-left:36pt;"># tenant_enabled_emulation_dn =</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;"># role_tree_dn = ou=Roles,dc=example,dc=com</div>
<div style="padding-left:36pt;"># role_filter =</div>
<div style="padding-left:36pt;"># role_objectclass = organizationalRole</div>
<div style="padding-left:36pt;"># role_id_attribute = cn</div>
<div style="padding-left:36pt;"># role_name_attribute = ou</div>
<div style="padding-left:36pt;"># role_member_attribute = roleOccupant</div>
<div style="padding-left:36pt;"># role_attribute_ignore =</div>
<div style="padding-left:36pt;"># role_allow_create = True</div>
<div style="padding-left:36pt;"># role_allow_update = True</div>
<div style="padding-left:36pt;"># role_allow_delete = True</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;"># group_tree_dn =</div>
<div style="padding-left:36pt;"># group_filter =</div>
<div style="padding-left:36pt;"># group_objectclass = groupOfNames</div>
<div style="padding-left:36pt;"># group_id_attribute = cn</div>
<div style="padding-left:36pt;"># group_name_attribute = ou</div>
<div style="padding-left:36pt;"># group_member_attribute = member</div>
<div style="padding-left:36pt;"># group_desc_attribute = desc</div>
<div style="padding-left:36pt;"># group_attribute_ignore =</div>
<div style="padding-left:36pt;"># group_allow_create = True</div>
<div style="padding-left:36pt;"># group_allow_update = True</div>
<div style="padding-left:36pt;"># group_allow_delete = True</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;"># ldap TLS options</div>
<div style="padding-left:36pt;"># if both tls_cacertfile and tls_cacertdir are set then</div>
<div style="padding-left:36pt;"># tls_cacertfile will be used and tls_cacertdir is ignored</div>
<div style="padding-left:36pt;"># valid options for tls_req_cert are demand, never, and allow</div>
<div style="padding-left:36pt;">use_tls = False</div>
<div style="padding-left:36pt;"># tls_cacertfile =</div>
<div style="padding-left:36pt;">tls_cacertdir =</div>
<div style="padding-left:36pt;"># tls_req_cert = demand</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;"># Additional attribute mappings can be used to map ldap attributes to internal</div>
<div style="padding-left:36pt;"># keystone attributes. This allows keystone to fulfill ldap objectclass</div>
<div style="padding-left:36pt;"># requirements. An example to map the description and gecos attributes to a</div>
<div style="padding-left:36pt;"># user's name would be:</div>
<div style="padding-left:36pt;"># user_additional_attribute_mapping = description:name, gecos:name</div>
<div style="padding-left:36pt;">#</div>
<div style="padding-left:36pt;"># domain_additional_attribute_mapping =</div>
<div style="padding-left:36pt;"># group_additional_attribute_mapping =</div>
<div style="padding-left:36pt;"># role_additional_attribute_mapping =</div>
<div style="padding-left:36pt;"># project_additional_attribute_mapping =</div>
<div style="padding-left:36pt;"># user_additional_attribute_mapping =</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;">[auth]</div>
<div style="padding-left:36pt;">methods = external,password,token</div>
<div style="padding-left:36pt;">#external = keystone.auth.plugins.external.ExternalDefault</div>
<div style="padding-left:36pt;">password = keystone.auth.plugins.password.Password</div>
<div style="padding-left:36pt;">token = keystone.auth.plugins.token.Token</div>
<div style="padding-left:36pt;"> </div>
<div style="padding-left:36pt;">[paste_deploy]</div>
<div style="padding-left:36pt;"># Name of the paste configuration file that defines the available pipelines</div>
<div style="padding-left:36pt;">config_file = keystone-paste.ini</div>
<div style="padding-left:36pt;"> </div>
<div><u>Keystone.log file contents:</u></div>
<div> </div>
<div>        Simply restates the keystone.conf file contents.</div>
<div> </div>
<div> </div>
<div> </div>
</span></font>
</body>
</html>