Merge "small changes to section_keystone-token-binding file"
This commit is contained in:
commit
fe369cf02f
@ -1,56 +1,57 @@
|
|||||||
<?xml version="1.0" encoding="UTF-8"?>
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
<section xmlns="http://docbook.org/ns/docbook"
|
<section xmlns="http://docbook.org/ns/docbook"
|
||||||
xmlns:xi="http://www.w3.org/2001/XInclude"
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
||||||
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
|
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
|
||||||
xml:id="keystone-token-binding">
|
xml:id="keystone-token-binding">
|
||||||
<title>Configure the Identity Service for token binding</title>
|
<title>Configure Identity service for token binding</title>
|
||||||
<para>Token binding refers to the practice of embedding
|
<para>Token binding embeds information from an external
|
||||||
information from external authentication providers (like a
|
authentication mechanism, such as a Kerberos server, inside a
|
||||||
company's Kerberos server) inside the token such that a client may
|
token. By using token binding, a client can enforce the use of a
|
||||||
enforce that the token only be used in conjunction with that
|
specified external authentication mechanism with the token. This
|
||||||
specified authentication. This is an additional security mechanism
|
additional security mechanism ensures that if a token is stolen,
|
||||||
as it means that if a token is stolen it will not be usable
|
for example, it is not usable without external
|
||||||
without also providing the external authentication.</para>
|
authentication.</para>
|
||||||
<para>To activate token binding you must specify the types of
|
<para>You configure the authentication types for a token binding in
|
||||||
authentication that token binding should be used for in
|
the <filename>keystone.conf</filename> file:</para>
|
||||||
<filename>keystone.conf</filename>:
|
<programlisting language="ini">[token]
|
||||||
<programlisting language="ini">[token]
|
bind = kerberos</programlisting>
|
||||||
bind = kerberos</programlisting>
|
<para>Currently only <literal>kerberos</literal> is
|
||||||
Currently only <literal>kerberos</literal> is supported.</para>
|
supported.</para>
|
||||||
<para>
|
<para>To enforce checking of token binding, set the
|
||||||
To enforce checking of token binding the <literal>enforce_token_bind</literal>
|
<option>enforce_token_bind</option> option to one of these
|
||||||
parameter should be set to one of the following modes:
|
modes:</para>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><literal>disabled</literal> disable token bind
|
<para><literal>disabled</literal></para>
|
||||||
checking</para>
|
<para>Disables token bind checking.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><literal>permissive</literal> enable bind checking, if
|
<para><literal>permissive</literal></para>
|
||||||
a token is bound to a mechanism that is unknown to the server
|
<para>Enables bind checking. If a token is bound to an unknown
|
||||||
then ignore it. This is the default.</para>
|
authentication mechanism, the server ignores it. The default
|
||||||
</listitem>
|
is this mode.</para>
|
||||||
<listitem>
|
</listitem>
|
||||||
<para><literal>strict</literal> enable bind checking, if a
|
<listitem>
|
||||||
token is bound to a mechanism that is unknown to the server
|
<para><literal>strict</literal></para>
|
||||||
then this token should be rejected.</para>
|
<para>Enables bind checking. If a token is bound to an unknown
|
||||||
</listitem>
|
authentication mechanism, the server rejects it.</para>
|
||||||
<listitem>
|
</listitem>
|
||||||
<para><literal>required</literal> enable bind checking and
|
<listitem>
|
||||||
require that at least 1 bind mechanism is used for
|
<para><literal>required</literal></para>
|
||||||
tokens.</para>
|
<para>Enables bind checking. Requires use of at least
|
||||||
</listitem>
|
authentication mechanism for tokens.</para>
|
||||||
<listitem>
|
</listitem>
|
||||||
<para><literal>named</literal> enable bind checking and
|
<listitem>
|
||||||
require that the specified authentication mechanism is used:
|
<para><literal>named</literal></para>
|
||||||
<programlisting language="ini">[token]
|
<para>Enables bind checking. Requires use of the specified
|
||||||
enforce_token_bind = kerberos</programlisting>
|
authentication mechanism for tokens:</para>
|
||||||
</para>
|
<programlisting language="ini">[token]
|
||||||
</listitem>
|
enforce_token_bind = kerberos</programlisting>
|
||||||
</itemizedlist>
|
</listitem>
|
||||||
<note><para>Do not set <literal>enforce_token_bind =
|
</itemizedlist>
|
||||||
named</literal> as there is not an authentication mechanism
|
<note>
|
||||||
called <literal>named</literal>.</para>
|
<para>Do not set <literal>enforce_token_bind = named</literal>.
|
||||||
</note>
|
The <literal>named</literal> authentication mechanism does not
|
||||||
</para>
|
exist.</para>
|
||||||
|
</note>
|
||||||
</section>
|
</section>
|
||||||
|
Loading…
Reference in New Issue
Block a user