1 # == class: keystone::ldap
3 # Implements ldap configuration for keystone.
8 # URL for connecting to the LDAP server. (string value)
12 # User BindDN to query the LDAP server. (string value)
16 # Password for the BindDN to query the LDAP server. (string value)
20 # LDAP server suffix (string value)
24 # The LDAP scope for queries, this can be either "one"
25 # (onelevel/singleLevel) or "sub" (subtree/wholeSubtree). (string value)
29 # Maximum results per page; a value of zero ("0") disables paging. (integer value)
33 # Search base for users. (string value)
37 # LDAP search filter for users. (string value)
40 # [*user_objectclass*]
41 # LDAP objectclass for users. (string value)
44 # [*user_id_attribute*]
45 # LDAP attribute mapped to user id. WARNING: must not be a multivalued attribute. (string value)
48 # [*user_name_attribute*]
49 # LDAP attribute mapped to user name. (string value)
52 # [*user_mail_attribute*]
53 # LDAP attribute mapped to user email. (string value)
55 # [*user_enabled_attribute*]
56 # LDAP attribute mapped to user enabled flag. (string value)
59 # [*user_enabled_mask*]
60 # Bitmask integer to indicate the bit that the enabled value is stored in if
61 # the LDAP server represents "enabled" as a bit on an integer rather than a
62 # boolean. A value of "0" indicates the mask is not used. If this is not set
63 # to "0" the typical value is "2". This is typically used when
64 # "user_enabled_attribute = userAccountControl". (integer value)
67 # [*user_enabled_default*]
68 # Default value to enable users. This should match an appropriate int value
69 # if the LDAP server uses non-boolean (bitmask) values to indicate if a user
70 # is enabled or disabled. If this is not set to "True" the typical value is
71 # "512". This is typically used when "user_enabled_attribute =
72 # userAccountControl". (string value)
75 # [*user_enabled_invert*]
76 # Invert the meaning of the boolean enabled values. Some LDAP servers use a
77 # boolean lock attribute where "true" means an account is disabled. Setting
78 # "user_enabled_invert = true" will allow these lock attributes to be used.
79 # This setting will have no effect if "user_enabled_mask" or
80 # "user_enabled_emulation" settings are in use. (boolean value)
83 # [*user_attribute_ignore*]
84 # List of attributes stripped off the user on update. (list value)
87 # [*user_default_project_id_attribute*]
88 # LDAP attribute mapped to default_project_id for users. (string value)
91 # [*user_allow_create*]
92 # Allow user creation in LDAP backend. (boolean value)
95 # [*user_allow_update*]
96 # Allow user updates in LDAP backend. (boolean value)
99 # [*user_allow_delete*]
100 # Allow user deletion in LDAP backend. (boolean value)
101 # Defaults to 'undef'
103 # [*user_pass_attribute*]
104 # LDAP attribute mapped to password. (string value)
105 # Defaults to 'undef'
107 # [*user_enabled_emulation*]
108 # If true, Keystone uses an alternative method to determine if
109 # a user is enabled or not by checking if they are a member of
110 # the "user_enabled_emulation_dn" group. (boolean value)
111 # Defaults to 'undef'
113 # [*user_enabled_emulation_dn*]
114 # DN of the group entry to hold enabled users when using enabled emulation.
116 # Defaults to 'undef'
118 # [*user_additional_attribute_mapping*]
119 # List of additional LDAP attributes used for mapping
120 # additional attribute mappings for users. Attribute mapping
121 # format is <ldap_attr>:<user_attr>, where ldap_attr is the
122 # attribute in the LDAP entry and user_attr is the Identity
123 # API attribute. (list value)
124 # Defaults to 'undef'
126 # [*project_tree_dn*]
127 # Search base for projects (string value)
128 # Defaults to 'undef'
131 # LDAP search filter for projects. (string value)
132 # Defaults to 'undef'
134 # [*project_objectclass*]
135 # LDAP objectclass for projects. (string value)
136 # Defaults to 'undef'
138 # [*project_id_attribute*]
139 # LDAP attribute mapped to project id. (string value)
140 # Defaults to 'undef'
142 # [*project_member_attribute*]
143 # LDAP attribute mapped to project membership for user. (string value)
144 # Defaults to 'undef'
146 # [*project_name_attribute*]
147 # LDAP attribute mapped to project name. (string value)
148 # Defaults to 'undef'
150 # [*project_desc_attribute*]
151 # LDAP attribute mapped to project description. (string value)
152 # Defaults to 'undef'
154 # [*project_enabled_attribute*]
155 # LDAP attribute mapped to project enabled. (string value)
156 # Defaults to 'undef'
158 # [*project_domain_id_attribute*]
159 # LDAP attribute mapped to project domain_id. (string value)
160 # Defaults to 'undef'
162 # [*project_attribute_ignore*]
163 # List of attributes stripped off the project on update. (list value)
164 # Defaults to 'undef'
166 # [*project_allow_create*]
167 # Allow project creation in LDAP backend. (boolean value)
168 # Defaults to 'undef'
170 # [*project_allow_update*]
171 # Allow project update in LDAP backend. (boolean value)
172 # Defaults to 'undef'
174 # [*project_allow_delete*]
175 # Allow project deletion in LDAP backend. (boolean value)
176 # Defaults to 'undef'
178 # [*project_enabled_emulation*]
179 # If true, Keystone uses an alternative method to determine if
180 # a project is enabled or not by checking if they are a member
181 # of the "project_enabled_emulation_dn" group. (boolean value)
182 # Defaults to 'undef'
184 # [*project_enabled_emulation_dn*]
185 # DN of the group entry to hold enabled projects when using
186 # enabled emulation. (string value)
187 # Defaults to 'undef'
189 # [*project_additional_attribute_mapping*]
190 # Additional attribute mappings for projects. Attribute
191 # mapping format is <ldap_attr>:<user_attr>, where ldap_attr
192 # is the attribute in the LDAP entry and user_attr is the
193 # Identity API attribute. (list value)
194 # Defaults to 'undef'
197 # Search base for roles. (string value)
198 # Defaults to 'undef'
201 # LDAP search filter for roles. (string value)
202 # Defaults to 'undef'
204 # [*role_objectclass*]
205 # LDAP objectclass for roles. (string value)
206 # Defaults to 'undef'
208 # [*role_id_attribute*]
209 # LDAP attribute mapped to role id. (string value)
210 # Defaults to 'undef'
212 # [*role_name_attribute*]
213 # LDAP attribute mapped to role name. (string value)
214 # Defaults to 'undef'
216 # [*role_member_attribute*]
217 # LDAP attribute mapped to role membership. (string value)
218 # Defaults to 'undef'
220 # [*role_attribute_ignore*]
221 # List of attributes stripped off the role on update. (list value)
222 # Defaults to 'undef'
224 # [*role_allow_create*]
225 # Allow role creation in LDAP backend. (boolean value)
226 # Defaults to 'undef'
228 # [*role_allow_update*]
229 # Allow role update in LDAP backend. (boolean value)
230 # Defaults to 'undef'
232 # [*role_allow_delete*]
233 # Allow role deletion in LDAP backend. (boolean value)
234 # Defaults to 'undef'
236 # [*role_additional_attribute_mapping*]
237 # Additional attribute mappings for roles. Attribute mapping
238 # format is <ldap_attr>:<user_attr>, where ldap_attr is the
239 # attribute in the LDAP entry and user_attr is the Identity
240 # API attribute. (list value)
241 # Defaults to 'undef'
244 # Search base for groups. (string value)
245 # Defaults to 'undef'
248 # LDAP search filter for groups. (string value)
249 # Defaults to 'undef'
251 # [*group_objectclass*]
252 # LDAP objectclass for groups. (string value)
253 # Defaults to 'undef'
255 # [*group_id_attribute*]
256 # LDAP attribute mapped to group id. (string value)
257 # Defaults to 'undef'
259 # [*group_name_attribute*]
260 # LDAP attribute mapped to group name. (string value)
261 # Defaults to 'undef'
263 # [*group_member_attribute*]
264 # LDAP attribute mapped to show group membership. (string value)
265 # Defaults to 'undef'
267 # [*group_desc_attribute*]
268 # LDAP attribute mapped to group description. (string value)
269 # Defaults to 'undef'
271 # [*group_attribute_ignore*]
272 # List of attributes stripped off the group on update. (list value)
273 # Defaults to 'undef'
275 # [*group_allow_create*]
276 # Allow group creation in LDAP backend. (boolean value)
277 # Defaults to 'undef'
279 # [*group_allow_update*]
280 # Allow group update in LDAP backend. (boolean value)
281 # Defaults to 'undef'
283 # [*group_allow_delete*]
284 # Allow group deletion in LDAP backend. (boolean value)
285 # Defaults to 'undef'
287 # [*group_additional_attribute_mapping*]
288 # Additional attribute mappings for groups. Attribute mapping
289 # format is <ldap_attr>:<user_attr>, where ldap_attr is the
290 # attribute in the LDAP entry and user_attr is the Identity
291 # API attribute. (list value)
292 # Defaults to 'undef'
295 # Enable TLS for communicating with LDAP servers. (boolean value)
296 # Defaults to 'undef'
299 # CA certificate file path for communicating with LDAP servers. (string value)
300 # Defaults to 'undef'
303 # CA certificate directory path for communicating with LDAP servers. (string value)
304 # Defaults to 'undef'
307 # Valid options for tls_req_cert are demand, never, and allow. (string value)
308 # Defaults to 'undef'
310 # [*identity_driver*]
311 # Identity backend driver. (string value)
312 # Defaults to 'undef'
314 # [*credential_driver*]
315 # Credential backend driver. (string value)
316 # Defaults to 'undef'
318 # [*assignment_driver*]
319 # Assignment backend driver. (string value)
320 # Defaults to 'undef'
323 # Enable LDAP connection pooling. (boolean value)
327 # Connection pool size. (integer value)
331 # Maximum count of reconnect trials. (integer value)
334 # [*pool_retry_delay*]
335 # Time span in seconds to wait between two reconnect trials. (floating point value)
338 # [*pool_connection_timeout*]
339 # Connector timeout in seconds. Value -1 indicates indefinite wait for response. (integer value)
342 # [*pool_connection_lifetime*]
343 # Connection lifetime in seconds. (integer value)
347 # Enable LDAP connection pooling for end user authentication.
348 # If use_pool is disabled, then this setting is meaningless and is not used at all. (boolean value)
352 # End user auth connection pool size. (integer value)
355 # [*auth_pool_connection_lifetime*]
356 # End user auth connection lifetime in seconds. (integer value)
359 # === DEPRECATED group/name
363 # [*tenant_objectclass*]
364 # [*tenant_id_attribute*]
365 # [*tenant_member_attribute*]
366 # [*tenant_name_attribute*]
367 # [*tenant_desc_attribute*]
368 # [*tenant_enabled_attribute*]
369 # [*tenant_domain_id_attribute*]
370 # [*tenant_attribute_ignore*]
371 # [*tenant_allow_create*]
372 # [*tenant_allow_update*]
373 # [*tenant_enabled_emulation*]
374 # [*tenant_enabled_emulation_dn*]
375 # [*tenant_additional_attribute_mapping*]
376 # [*tenant_allow_delete*]
382 # Dan Bode dan@puppetlabs.com
383 # Matt Fischer matt.fischer@twcable.com
387 # Copyright 2012 Puppetlabs Inc, unless otherwise noted.
389 class keystone::ldap(
394 $query_scope = undef,
396 $user_tree_dn = undef,
397 $user_filter = undef,
398 $user_objectclass = undef,
399 $user_id_attribute = undef,
400 $user_name_attribute = undef,
401 $user_mail_attribute = undef,
402 $user_enabled_attribute = undef,
403 $user_enabled_mask = undef,
404 $user_enabled_default = undef,
405 $user_enabled_invert = undef,
406 $user_attribute_ignore = undef,
407 $user_default_project_id_attribute = undef,
408 $user_allow_create = undef,
409 $user_allow_update = undef,
410 $user_allow_delete = undef,
411 $user_pass_attribute = undef,
412 $user_enabled_emulation = undef,
413 $user_enabled_emulation_dn = undef,
414 $user_additional_attribute_mapping = undef,
415 $tenant_tree_dn = undef, #DEPRECATED
416 $project_tree_dn = undef,
417 $tenant_filter = undef, #DEPRECATED
418 $project_filter = undef,
419 $tenant_objectclass = undef, #DEPRECATED
420 $project_objectclass = undef,
421 $tenant_id_attribute = undef, #DEPRECATED
422 $project_id_attribute = undef,
423 $tenant_member_attribute = undef, #DEPRECATED
424 $project_member_attribute = undef,
425 $tenant_desc_attribute = undef, #DEPRECATED
426 $project_desc_attribute = undef,
427 $tenant_name_attribute = undef, #DEPRECATED
428 $project_name_attribute = undef,
429 $tenant_enabled_attribute = undef, #DEPRECATED
430 $project_enabled_attribute = undef,
431 $tenant_domain_id_attribute = undef, #DEPRECATED
432 $project_domain_id_attribute = undef,
433 $tenant_attribute_ignore = undef, #DEPRECATED
434 $project_attribute_ignore = undef,
435 $tenant_allow_create = undef, #DEPRECATED
436 $project_allow_create = undef,
437 $tenant_allow_update = undef, #DEPRECATED
438 $project_allow_update = undef,
439 $tenant_allow_delete = undef, #DEPRECATED
440 $project_allow_delete = undef,
441 $tenant_enabled_emulation = undef, #DEPRECATED
442 $project_enabled_emulation = undef,
443 $tenant_enabled_emulation_dn = undef, #DEPRECATED
444 $project_enabled_emulation_dn = undef,
445 $tenant_additional_attribute_mapping = undef, #DEPRECATED
446 $project_additional_attribute_mapping= undef,
447 $role_tree_dn = undef,
448 $role_filter = undef,
449 $role_objectclass = undef,
450 $role_id_attribute = undef,
451 $role_name_attribute = undef,
452 $role_member_attribute = undef,
453 $role_attribute_ignore = undef,
454 $role_allow_create = undef,
455 $role_allow_update = undef,
456 $role_allow_delete = undef,
457 $role_additional_attribute_mapping = undef,
458 $group_tree_dn = undef,
459 $group_filter = undef,
460 $group_objectclass = undef,
461 $group_id_attribute = undef,
462 $group_name_attribute = undef,
463 $group_member_attribute = undef,
464 $group_desc_attribute = undef,
465 $group_attribute_ignore = undef,
466 $group_allow_create = undef,
467 $group_allow_update = undef,
468 $group_allow_delete = undef,
469 $group_additional_attribute_mapping = undef,
471 $tls_cacertdir = undef,
472 $tls_cacertfile = undef,
473 $tls_req_cert = undef,
474 $identity_driver = undef,
475 $assignment_driver = undef,
476 $credential_driver = undef,
480 $pool_retry_delay = 0.1,
481 $pool_connection_timeout = -1,
482 $pool_connection_lifetime = 600,
483 $use_auth_pool = false,
484 $auth_pool_size = 100,
485 $auth_pool_connection_lifetime = 60,
488 # In Juno the term "tenant" was deprecated in the config in favor of "project"
489 # Let's assume project_ is being used and warning otherwise. If both are set we will
490 # fail, because having both set may cause unexpected results in Keystone.
491 if ($tenant_tree_dn) {
492 $project_tree_dn_real = $tenant_tree_dn
493 warning ('tenant_tree_dn is deprecated in Juno. switch to project_tree_dn')
494 if ($project_tree_dn) {
495 fail ('tenant_tree_dn and project_tree_dn are both set. results may be unexpected')
499 $project_tree_dn_real = $project_tree_dn
502 if ($tenant_filter) {
503 $project_filter_real = $tenant_filter
504 warning ('tenant_filter is deprecated in Juno. switch to project_filter')
505 if ($project_filter) {
506 fail ('tenant_filter and project_filter are both set. results may be unexpected')
510 $project_filter_real = $project_filter
513 if ($tenant_objectclass) {
514 $project_objectclass_real = $tenant_objectclass
515 warning ('tenant_objectclass is deprecated in Juno. switch to project_objectclass')
516 if ($project_objectclass) {
517 fail ('tenant_objectclass and project_objectclass are both set. results may be unexpected')
521 $project_objectclass_real = $project_objectclass
524 if ($tenant_id_attribute) {
525 $project_id_attribute_real = $tenant_id_attribute
526 warning ('tenant_id_attribute is deprecated in Juno. switch to project_id_attribute')
527 if ($project_id_attribute) {
528 fail ('tenant_id_attribute and project_id_attribute are both set. results may be unexpected')
532 $project_id_attribute_real = $project_id_attribute
535 if ($tenant_member_attribute) {
536 $project_member_attribute_real = $tenant_member_attribute
537 warning ('tenant_member_attribute is deprecated in Juno. switch to project_member_attribute')
538 if ($project_member_attribute) {
539 fail ('tenant_member_attribute and project_member_attribute are both set. results may be unexpected')
543 $project_member_attribute_real = $project_member_attribute
546 if ($tenant_desc_attribute) {
547 $project_desc_attribute_real = $tenant_desc_attribute
548 warning ('tenant_desc_attribute is deprecated in Juno. switch to project_desc_attribute')
549 if ($project_desc_attribute) {
550 fail ('tenant_desc_attribute and project_desc_attribute are both set. results may be unexpected')
554 $project_desc_attribute_real = $project_desc_attribute
557 if ($tenant_name_attribute) {
558 $project_name_attribute_real = $tenant_name_attribute
559 warning ('tenant_name_attribute is deprecated in Juno. switch to project_name_attribute')
560 if ($project_name_attribute) {
561 fail ('tenant_name_attribute and project_name_attribute are both set. results may be unexpected')
565 $project_name_attribute_real = $project_name_attribute
568 if ($tenant_enabled_attribute) {
569 $project_enabled_attribute_real = $tenant_enabled_attribute
570 warning ('tenant_enabled_attribute is deprecated in Juno. switch to project_enabled_attribute')
571 if ($project_enabled_attribute) {
572 fail ('tenant_enabled_attribute and project_enabled_attribute are both set. results may be unexpected')
576 $project_enabled_attribute_real = $project_enabled_attribute
579 if ($tenant_attribute_ignore) {
580 $project_attribute_ignore_real = $tenant_attribute_ignore
581 warning ('tenant_attribute_ignore is deprecated in Juno. switch to project_attribute_ignore')
582 if ($project_attribute_ignore) {
583 fail ('tenant_attribute_ignore and project_attribute_ignore are both set. results may be unexpected')
587 $project_attribute_ignore_real = $project_attribute_ignore
590 if ($tenant_domain_id_attribute) {
591 $project_domain_id_attribute_real = $tenant_domain_id_attribute
592 warning ('tenant_domain_id_attribute is deprecated in Juno. switch to project_domain_id_attribute')
593 if ($project_domain_id_attribute) {
594 fail ('tenant_domain_id_attribute and project_domain_id_attribute are both set. results may be unexpected')
598 $project_domain_id_attribute_real = $project_domain_id_attribute
601 if ($tenant_allow_create) {
602 $project_allow_create_real = $tenant_allow_create
603 warning ('tenant_allow_create is deprecated in Juno. switch to project_allow_create')
604 if ($project_allow_create) {
605 fail ('tenant_allow_create and project_allow_create are both set. results may be unexpected')
609 $project_allow_create_real = $project_allow_create
612 if ($tenant_allow_update) {
613 $project_allow_update_real = $tenant_allow_update
614 warning ('tenant_allow_update is deprecated in Juno. switch to project_allow_update')
615 if ($project_allow_update) {
616 fail ('tenant_allow_update and project_allow_update are both set. results may be unexpected')
620 $project_allow_update_real = $project_allow_update
623 if ($tenant_allow_delete) {
624 $project_allow_delete_real = $tenant_allow_delete
625 warning ('tenant_allow_delete is deprecated in Juno. switch to project_allow_delete')
626 if ($project_allow_delete) {
627 fail ('tenant_allow_delete and project_allow_delete are both set. results may be unexpected')
631 $project_allow_delete_real = $project_allow_delete
634 if ($tenant_enabled_emulation) {
635 $project_enabled_emulation_real = $tenant_enabled_emulation
636 warning ('tenant_enabled_emulation is deprecated in Juno. switch to project_enabled_emulation')
637 if ($project_enabled_emulation) {
638 fail ('tenant_enabled_emulation and project_enabled_emulation are both set. results may be unexpected')
642 $project_enabled_emulation_real = $project_enabled_emulation
645 if ($tenant_enabled_emulation_dn) {
646 $project_enabled_emulation_dn_real = $tenant_enabled_emulation_dn
647 warning ('tenant_enabled_emulation_dn is deprecated in Juno. switch to project_enabled_emulation_dn')
648 if ($project_enabled_emulation_dn) {
649 fail ('tenant_enabled_emulation_dn and project_enabled_emulation_dn are both set. results may be unexpected')
653 $project_enabled_emulation_dn_real = $project_enabled_emulation_dn
656 if ($tenant_additional_attribute_mapping) {
657 $project_additional_attribute_mapping_real = $tenant_additional_attribute_mapping
658 warning ('tenant_additional_attribute_mapping is deprecated in Juno. switch to project_additional_attribute_mapping')
659 if ($project_additional_attribute_mapping) {
660 fail ('tenant_additional_attribute_mapping and project_additional_attribute_mapping are both set. results may be unexpected')
664 $project_additional_attribute_mapping_real = $project_additional_attribute_mapping
667 $ldap_packages = ['python-ldap', 'python-ldappool']
668 package { $ldap_packages:
672 # check for some common driver name mistakes
673 if ($assignment_driver != undef) {
674 if ! ($assignment_driver =~ /^keystone.assignment.backends.*Assignment$/) {
675 fail('assigment driver should be of the form \'keystone.assignment.backends.*Assignment\'')
679 if ($identity_driver != undef) {
680 if ! ($identity_driver =~ /^keystone.identity.backends.*Identity$/) {
681 fail('identity driver should be of the form \'keystone.identity.backends.*Identity\'')
685 if ($credential_driver != undef) {
686 if ! ($credential_driver =~ /^keystone.credential.backends.*Credential$/) {
687 fail('credential driver should be of the form \'keystone.credential.backends.*Credential\'')
691 if ($tls_cacertdir != undef) {
692 file { $tls_cacertdir:
698 'ldap/url': value => $url;
699 'ldap/user': value => $user;
700 'ldap/password': value => $password, secret => true;
701 'ldap/suffix': value => $suffix;
702 'ldap/query_scope': value => $query_scope;
703 'ldap/page_size': value => $page_size;
704 'ldap/user_tree_dn': value => $user_tree_dn;
705 'ldap/user_filter': value => $user_filter;
706 'ldap/user_objectclass': value => $user_objectclass;
707 'ldap/user_id_attribute': value => $user_id_attribute;
708 'ldap/user_name_attribute': value => $user_name_attribute;
709 'ldap/user_mail_attribute': value => $user_mail_attribute;
710 'ldap/user_enabled_attribute': value => $user_enabled_attribute;
711 'ldap/user_enabled_mask': value => $user_enabled_mask;
712 'ldap/user_enabled_default': value => $user_enabled_default;
713 'ldap/user_enabled_invert': value => $user_enabled_invert;
714 'ldap/user_attribute_ignore': value => $user_attribute_ignore;
715 'ldap/user_default_project_id_attribute': value => $user_default_project_id_attribute;
716 'ldap/user_allow_create': value => $user_allow_create;
717 'ldap/user_allow_update': value => $user_allow_update;
718 'ldap/user_allow_delete': value => $user_allow_delete;
719 'ldap/user_pass_attribute': value => $user_pass_attribute;
720 'ldap/user_enabled_emulation': value => $user_enabled_emulation;
721 'ldap/user_enabled_emulation_dn': value => $user_enabled_emulation_dn;
722 'ldap/user_additional_attribute_mapping': value => $user_additional_attribute_mapping;
723 'ldap/project_tree_dn': value => $project_tree_dn_real;
724 'ldap/project_filter': value => $project_filter_real;
725 'ldap/project_objectclass': value => $project_objectclass_real;
726 'ldap/project_id_attribute': value => $project_id_attribute_real;
727 'ldap/project_member_attribute': value => $project_member_attribute_real;
728 'ldap/project_desc_attribute': value => $project_desc_attribute_real;
729 'ldap/project_name_attribute': value => $project_name_attribute_real;
730 'ldap/project_enabled_attribute': value => $project_enabled_attribute_real;
731 'ldap/project_attribute_ignore': value => $project_attribute_ignore_real;
732 'ldap/project_domain_id_attribute': value => $project_domain_id_attribute_real;
733 'ldap/project_allow_create': value => $project_allow_create_real;
734 'ldap/project_allow_update': value => $project_allow_update_real;
735 'ldap/project_allow_delete': value => $project_allow_delete_real;
736 'ldap/project_enabled_emulation': value => $project_enabled_emulation_real;
737 'ldap/project_enabled_emulation_dn': value => $project_enabled_emulation_dn_real;
738 'ldap/project_additional_attribute_mapping': value => $project_additional_attribute_mapping_real;
739 'ldap/role_tree_dn': value => $role_tree_dn;
740 'ldap/role_filter': value => $role_filter;
741 'ldap/role_objectclass': value => $role_objectclass;
742 'ldap/role_id_attribute': value => $role_id_attribute;
743 'ldap/role_name_attribute': value => $role_name_attribute;
744 'ldap/role_member_attribute': value => $role_member_attribute;
745 'ldap/role_attribute_ignore': value => $role_attribute_ignore;
746 'ldap/role_allow_create': value => $role_allow_create;
747 'ldap/role_allow_update': value => $role_allow_update;
748 'ldap/role_allow_delete': value => $role_allow_delete;
749 'ldap/role_additional_attribute_mapping': value => $role_additional_attribute_mapping;
750 'ldap/group_tree_dn': value => $group_tree_dn;
751 'ldap/group_filter': value => $group_filter;
752 'ldap/group_objectclass': value => $group_objectclass;
753 'ldap/group_id_attribute': value => $group_id_attribute;
754 'ldap/group_name_attribute': value => $group_name_attribute;
755 'ldap/group_member_attribute': value => $group_member_attribute;
756 'ldap/group_desc_attribute': value => $group_desc_attribute;
757 'ldap/group_attribute_ignore': value => $group_attribute_ignore;
758 'ldap/group_allow_create': value => $group_allow_create;
759 'ldap/group_allow_update': value => $group_allow_update;
760 'ldap/group_allow_delete': value => $group_allow_delete;
761 'ldap/group_additional_attribute_mapping': value => $group_additional_attribute_mapping;
762 'ldap/use_tls': value => $use_tls;
763 'ldap/tls_cacertdir': value => $tls_cacertdir;
764 'ldap/tls_cacertfile': value => $tls_cacertfile;
765 'ldap/tls_req_cert': value => $tls_req_cert;
766 'ldap/use_pool': value => $use_pool;
767 'ldap/pool_size': value => $pool_size;
768 'ldap/pool_retry_max': value => $pool_retry_max;
769 'ldap/pool_retry_delay': value => $pool_retry_delay;
770 'ldap/pool_connection_timeout': value => $pool_connection_timeout;
771 'ldap/pool_connection_lifetime': value => $pool_connection_lifetime;
772 'ldap/use_auth_pool': value => $use_auth_pool;
773 'ldap/auth_pool_size': value => $auth_pool_size;
774 'ldap/auth_pool_connection_lifetime': value => $auth_pool_connection_lifetime;
775 'identity/driver': value => $identity_driver;
776 'credential/driver': value => $credential_driver;
777 'assignment/driver': value => $assignment_driver;