You can update certain parameters in your Keystone service configuration by using the viocli update keystone command.

For more information about Keystone configuration, see the OpenStack Keystone Configuration documentation.

For more information about Keystone service configuration examples, see the OpenStack Keystone Configuration file.

Configuration options example using viocli update keystone.
conf:
  keystone:
    DEFAULT:
      list_limit: 100
    token:
      expiration: 7200

  ks_domains:
    <keystone domain name>:
      ldap:
        user_enabled_invert: false
        user_enabled_mask: 2
        user_enabled_default: true
        chase_referrals: false
        debug_level: 4095
        pool_retry_max: 20
        pool_size: 200
        pool_retry_delay: 0.1
        pool_connection_timeout: -1
        pool_connection_lifetime: 600
        use_auth_pool: true
        auth_pool_size: 100
        auth_pool_connection_lifetime: 60
        user_enabled_attribute: userAccountControl
        lockout_failure_attempts = 6
        lockout_duration = 1800 
Table 1. viocli update Keystone Parameters
Parameter Default Value Description

list_limit

none

Enter the maximum number of entities that can be returned in a collection.

expiration

Minimum value: 0

Maximum value: 9223372036854775807

Enter the amount of time the token can take to remain valid. Drastically increasing this value can increase load on the driver and drastically decreasing this value can break the long running operations.

ks_domains

Enter the Keystone domain name.

user_enabled_invert

false

Enter true to disable the account. Setting keystone_ldap_user_enabled_invert: true can allow you to use the lock attributes.

user_enabled_mask

0

Enter 2 to set the mask value. A value of 0 indicates that you cannot use the mask.

user_enabled_default

true

Enter true to enable the keystone LDAP users. However, if this is not true, the typical value is 512.

chase_referrals

none

Enter the systems default referral chasing behavior boolean value for queries.

debug_level

none

Enter the LDAP debugging level value for LDAP calls. The minimum value is -1. A value of 0 indicates that you cannot enable debugging.

pool_retry_max

3

Enter the maximum number of times to attempt reconnecting to the LDAP server. The minimum value is 0.

pool_size

10

Enter the size of the LDAP connection pool. The minimum value is 0.

pool_retry_delay

0.1

Enter the number of seconds to wait before attempting to reconnect to the LDAP server.

pool_connection_timeout

-1

Enter the connection timeout value to use when pooling LDAP connections. A value of -1 indicates that connection can never timeout.

pool_connection_lifetime

600

Enter the maximum connection lifetime to the LDAP server in seconds. The minimum value is 1.

use_auth_pool

true

Enter true to enable LDAP connection pooling for end-user authentication.

auth_pool_size

100

Enter the size of the connection pool to use for end-user authentication. The minimum value is 1.

auth_pool_connection_lifetime

60

Enter the maximum end-user authentication connection lifetime value in seconds. The minimum value is 1.

user_enabled_attribute

enabled

Enter the LDAP attribute that you can map to user-enabled flag.

lockout_failure_attempts 5

Configures the maximum number of failed authentication attempts.

lockout_duration 1800

Configures the number of seconds an account is locked out after you reach lockout_failure_attempts. If set to 0, accounts are locked permanently until specifically unlocked from CLI/API.