openstack/openstack-manuals
Code Issues Proposed changes
7f54582717
openstack-manuals/doc/admin-guide/source/keystone_token-binding.rst
Joseph Robinson 2ce5b11b1a [User Guides] Rename Admin-Guide-Cloud to Admin-Guide 
This patch changes the name of the Admin-Guide from the Cloud
Admin Guide to the Administrator guide. This affects the
filename in the repository, and references to cloud administrators
within the document texts.

1.) Changing instances of 'cloud administrator'
    to 'administrator'.

2.) Change links from '/admin-guide-cloud/' to
    '/admin-guide/' within the Admin Guide.

3.) Adjust .htaccess file.

Change-Id: I7f21a710e922981aa295afc0616de36fd819b523
Implements: blueprint user-guides-reorganised
2016-04-01 19:50:13 +09:00

65 lines
1.7 KiB
ReStructuredText
Raw Blame History

============================================
Configure Identity service for token binding
============================================
Token binding embeds information from an external authentication
mechanism, such as a Kerberos server or X.509 certificate, inside a
token. By using token binding, a client can enforce the use of a
specified external authentication mechanism with the token. This
additional security mechanism ensures that if a token is stolen, for
example, it is not usable without external authentication.
You configure the authentication types for a token binding in the
``keystone.conf`` file:
.. code-block:: ini
[token]
bind = kerberos
or
.. code-block:: ini
[token]
bind = x509
Currently ``kerberos`` and ``x509`` are supported.
To enforce checking of token binding, set the ``enforce_token_bind``
option to one of these modes:
- ``disabled``
Disables token bind checking.
- ``permissive``
Enables bind checking. If a token is bound to an unknown
authentication mechanism, the server ignores it. The default is this
mode.
- ``strict``
Enables bind checking. If a token is bound to an unknown
authentication mechanism, the server rejects it.
- ``required``
Enables bind checking. Requires use of at least authentication
mechanism for tokens.
- ``kerberos``
Enables bind checking. Requires use of kerberos as the authentication
mechanism for tokens:
.. code-block:: ini
[token]
enforce_token_bind = kerberos
- ``x509``
Enables bind checking. Requires use of X.509 as the authentication
mechanism for tokens:
.. code-block:: ini
[token]
enforce_token_bind = x509
View Git Blame Copy Permalink