honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[DOCS] Removes redundant LDAP realm settings (#30193)

This commit is contained in:
Lisa Cawley 2018-04-30 08:04:15 -07:00 committed by GitHub
parent 725a5af2c6
commit 05160e6cd8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 111 additions and 258 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

202
x-pack/docs/en/security/authentication/ldap-realm.asciidoc
View File

@ -137,211 +137,13 @@ The `load_balance.type` setting can be used at the realm level to configure how
{security} should interact with multiple LDAP servers. {security} supports both
failover and load balancing modes of operation.
.Load Balancing and Failover Types
|=======================
| Type | | | Description
| `failover` | | | The URLs specified are used in the order that they are specified.
The first server that can be connected to will be used for all
subsequent connections. If a connection to that server fails then
the next server that a connection can be established to will be
used for subsequent connections.
| `dns_failover` | | | In this mode of operation, only a single URL may be specified.
This URL must contain a DNS name. The system will be queried for
all IP addresses that correspond to this DNS name. Connections to
the LDAP server will always be tried in the order in which they
were retrieved. This differs from `failover` in that there is no
reordering of the list and if a server has failed at the beginning
of the list, it will still be tried for each subsequent connection.
| `round_robin` | | | Connections will continuously iterate through the list of provided
URLs. If a server is unavailable, iterating through the list of
URLs will continue until a successful connection is made.
| `dns_round_robin` | | | In this mode of operation, only a single URL may be specified. This
URL must contain a DNS name. The system will be queried for all IP
addresses that correspond to this DNS name. Connections will
continuously iterate through the list of addresses. If a server is
unavailable, iterating through the list of URLs will continue until
a successful connection is made.
|=======================
See {ref}/security-settings.html#load-balancing[Load Balancing and Failover Settings].
[[ldap-settings]]
===== LDAP Realm Settings
.Common LDAP Realm Settings
[cols="4,^3,10"]
|=======================
| Setting | Required | Description
| `type` | yes | Indicates the realm type. Must be set to `ldap`.
| `order` | no | Indicates the priority of this realm within the realm
chain. Realms with a lower order are consulted first.
Although not required, we recommend explicitly
setting this value when you configure multiple realms.
Defaults to `Integer.MAX_VALUE`.
| `enabled` | no | Indicates whether this realm is enabled or disabled.
Enables you to disable a realm without removing its
configuration. Defaults to `true`.
| `url` | yes | Specifies one or more LDAP URLs of the form of
`ldap[s]://<server>:<port>`. Multiple URLs can be
defined using a comma separated value or array syntax:
`[ "ldaps://server1:636", "ldaps://server2:636" ]`.
`ldaps` and `ldap` URL protocols cannot be mixed in
the same realm.
| `load_balance.type` | no | The behavior to use when there are multiple LDAP URLs
defined. For supported values see
<<ldap-load-balancing, LDAP load balancing and failover types>>.
| `load_balance.cache_ttl` | no | When using `dns_failover` or `dns_round_robin` as the
load balancing type, this setting controls the amount of time
to cache DNS lookups. Defaults to `1h`.
| `user_group_attribute` | no | Specifies the attribute to examine on the user for group
membership. The default is `memberOf`. This setting will
be ignored if any `group_search` settings are specified.
| `group_search.base_dn` | no | Specifies a container DN to search for groups in which
the user has membership. When this element is absent,
Security searches for the attribute specified by
`user_group_attribute` set on the user to determine
group membership.
| `group_search.scope` | no | Specifies whether the group search should be
`sub_tree`, `one_level` or `base`. `one_level` only
searches objects directly contained within the
`base_dn`. The default `sub_tree` searches all objects
contained under `base_dn`. `base` specifies that the
`base_dn` is a group object, and that it is the only
group considered.
| `group_search.filter` | no | Specifies a filter to use to lookup a group. If not
set, the realm searches for `group`,
`groupOfNames`, `groupOfUniqueNames`, or `posixGroup` with the
attributes `member`, `memberOf`, or `memberUid`. Any instance of
`{0}` in the filter is replaced by the user
attribute defined in `group_search.user_attribute`
| `group_search.user_attribute` | no | Specifies the user attribute that is fetched and
provided as a parameter to the filter. If not set,
the user DN is passed to the filter.
| `unmapped_groups_as_roles` | no | Specifies whether the names of any unmapped LDAP groups
should be used as role names and assigned to the user.
A group is considered to be _unmapped_ if it is not referenced
in any <<mapping-roles-file, role-mapping files>> (API based
role-mappings are not considered).
Defaults to `false`.
| `timeout.tcp_connect` | no | Specifies the TCP connect timeout period for establishing an
LDAP connection. An `s` at the end indicates seconds, or `ms`
indicates milliseconds. Defaults to `5s` (5 seconds).
| `timeout.tcp_read` | no | Specifies the TCP read timeout period after establishing an LDAP connection.
An `s` at the end indicates seconds, or `ms` indicates milliseconds.
Defaults to `5s` (5 seconds).
| `timeout.ldap_search` | no | Specifies the LDAP Server enforced timeout period for an LDAP search.
An `s` at the end indicates seconds, or `ms` indicates milliseconds.
Defaults to `5s` (5 seconds).
| `files.role_mapping` | no | Specifies the path and file name for the
<<ldap-role-mapping, YAML role mapping configuration file>>.
Defaults to `ES_HOME/config/x-pack/role_mapping.yml`.
| `follow_referrals` | no | Specifies whether {security} should follow referrals
returned by the LDAP server. Referrals are URLs returned by
the server that are to be used to continue the LDAP operation
(e.g. search). Defaults to `true`.
| `metadata` | no | Specifies the list of additional LDAP attributes that should
be stored in the `metadata` of an authenticated user.
| `ssl.key` | no | Specifies the path to the PEM encoded private key to use if the LDAP
server requires client authentication. `ssl.key` and `ssl.keystore.path`
may not be used at the same time.
| `ssl.key_passphrase` | no | Specifies the passphrase to decrypt the PEM encoded private key if it is encrypted.
| `ssl.certificate` | no | Specifies the path to the PEM encoded certificate (or certificate chain) that goes with the
key if the LDAP server requires client authentication.
| `ssl.certificate_authorities` | no | Specifies the paths to the PEM encoded certificate authority certificates that
should be trusted. `ssl.certificate_authorities` and `ssl.truststore.path` may not be used
at the same time.
| `ssl.keystore.path` | no | The path to the Java Keystore file that contains a private key and certificate. `ssl.key` and
`ssl.keystore.path` may not be used at the same time.
| `ssl.keystore.password` | no | The password to the keystore.
| `ssl.keystore.key_password` | no | The password for the key in the keystore. Defaults to the keystore password.
| `ssl.truststore.path` | no | The path to the Java Keystore file that contains the certificates to trust.
`ssl.certificate_authorities` and `ssl.truststore.path` may not be used at the same time.
| `ssl.truststore.password` | no | The password to the truststore.
| `ssl.verification_mode` | no | Specifies the type of verification to be performed when
connecting to a LDAP server using `ldaps`. When
set to `full`, the hostname or IP address used in the `url`
must match one of the names in the certificate or the
connection will not be allowed. Due to their potential security impact,
`ssl` settings are not exposed via the
{ref}/cluster-nodes-info.html#cluster-nodes-info[nodes info API].
Values are `none`, `certificate`, and `full`. Defaults to `full`.
See {ref}/security-settings.html#ssl-tls-settings[`xpack.ssl.verification_mode`]
for an explanation of these values.
| `ssl.supported_protocols` | no | Specifies the supported protocols for SSL/TLS.
| `ssl.cipher_suites` | no | Specifies the cipher suites that should be supported when communicating
with the LDAP server.
| `cache.ttl` | no | Specifies the time-to-live for cached user entries. A
user's credentials are cached for this period of time.
Specify the time period using the standard Elasticsearch
{ref}/common-options.html#time-units[time units].
Defaults to `20m`.
| `cache.max_users` | no | Specifies the maximum number of user entries that can be
stored in the cache at one time. Defaults to 100,000.
| `cache.hash_algo` | no | Specifies the hashing algorithm that is used for the
cached user credentials. See
<<cache-hash-algo, Cache hash algorithms>> for the possible
values. (Expert Setting).
|=======================
.User Search Mode Settings
|=======================
| Setting | Required | Description
| `bind_dn` | no | The DN of the user that is used to bind to the LDAP
and perform searches. If not specified, an anonymous
bind is attempted. Due to its potential security
impact, `bind_dn` is not exposed via the
{ref}/cluster-nodes-info.html#cluster-nodes-info[nodes info API].
| `bind_password` | no | The password for the user that is used to bind to the
LDAP directory. Due to its potential security impact,
`bind_password` is not exposed via the
{ref}/cluster-nodes-info.html#cluster-nodes-info[nodes info API].
*Deprecated.* Use `secure_bind_password` instead.
| `secure_bind_password` | no | ({ref}/secure-settings.html[Secure])
The password for the user that is used to bind to LDAP directory.
| `user_search.base_dn` | yes | Specifies a container DN to search for users.
| `user_search.scope` | no | The scope of the user search. Valid values are `sub_tree`,
`one_level` or `base`. `one_level` only searches objects
directly contained within the `base_dn`. `sub_tree` searches
all objects contained under `base_dn`. `base` specifies
that the `base_dn` is the user object, and that it is the
only user considered. Defaults to `sub_tree`.
| `user_search.filter` | no | Specifies the filter used to search the directory in attempt to match
an entry with the username provided by the user. Defaults to `(uid={0})`.
`{0}` is substituted with the username provided when searching.
| `user_search.attribute` | no | This setting is deprecated; use `user_search.filter` instead.
Specifies the attribute to match with the username presented
to. Defaults to `uid`.
| `user_search.pool.enabled` | no | Enables or disables connection pooling for user search. When
disabled a new connection is created for every search. The
default is `true`.
| `user_search.pool.size` | no | Specifies the maximum number of connections to the LDAP
server to allow in the connection pool. Defaults to `20`.
| `user_search.pool.initial_size` | no | The initial number of connections to create to the LDAP
server on startup. Defaults to `0`. Values greater than `0`
could cause startup failures if the LDAP server is down.
| `user_search.pool.health_check.enabled` | no | Enables or disables a health check on LDAP connections in
the connection pool. Connections are checked in the
background at the specified interval. Defaults to `true`.
| `user_search.pool.health_check.dn` | no/yes | Specifies the distinguished name to retrieve as part of
the health check. Defaults to the value of `bind_dn`.
This setting is required when `bind_dn` is not configured.
| `user_search.pool.health_check.interval` | no | How often to perform background checks of connections in
the pool. Defaults to `60s`.
|=======================
.User Templates Mode Settings
[cols="4,^3,10"]
|=======================
| Setting | Required | Description
| `user_dn_templates` | yes | Specifies the DN template that replaces the
user name with the string `{0}`. This element
is multivalued, allowing for multiple user
contexts.
|=======================
NOTE: If any settings starting with `user_search` are specified, the
`user_dn_templates` the settings are ignored.
See {ref}/security-settings.html#ref-ldap-settings[LDAP Realm Settings].
[[mapping-roles-ldap]]
==== Mapping LDAP Groups to Roles

167
x-pack/docs/en/settings/security-settings.asciidoc
View File

@ -150,9 +150,9 @@ For a native realm, the `type` must be set to `native`. In addition to the
<<ref-realm-settings,settings that are valid for all realms>>, you can specify
the following optional settings:
`cache.ttl`:: The time-to-live for cached user entries. User credentials are
cached for this period of time. Specify the time period using the standard
{es} <<time-units,time units>>. Defaults to `20m`.
`cache.ttl`:: The time-to-live for cached user entries. A user and a hash of its
credentials are cached for this period of time. Specify the time period using
the standard {es} <<time-units,time units>>. Defaults to `20m`.
`cache.max_users`:: The maximum number of user entries that can live in the
cache at any given time. Defaults to 100,000.
@ -169,9 +169,9 @@ in-memory cached user credentials. For possible values, see
===== File realm settings
`cache.ttl`::
The time-to-live for cached user entries--user credentials are cached for
this configured period of time. Defaults to `20m`. Specify values using the
standard Elasticsearch {ref}/common-options.html#time-units[time units].
The time-to-live for cached user entries. A user and a hash of its credentials
are cached for this configured period of time. Defaults to `20m`. Specify values
using the standard {es} {ref}/common-options.html#time-units[time units].
Defaults to `20m`.
`cache.max_users`::
@ -186,12 +186,18 @@ all possible values. Defaults to `ssha256`.
[[ref-ldap-settings]]
[float]
===== LDAP realm settings
`url`::
An LDAP URL in the format `ldap[s]://<server>:<port>`. Required.
The `type` setting must be set to `ldap`. In addition to the
<<ref-realm-settings>>, you can specify the following settings:
`url`:: Specifies one or more LDAP URLs in the format
`ldap[s]://<server>:<port>`. Multiple URLs can be defined using a comma
separated value or array syntax: `[ "ldaps://server1:636", "ldaps://server2:636" ]`.
`ldaps` and `ldap` URL protocols cannot be mixed in the same realm. Required.
`load_balance.type`::
The behavior to use when there are multiple LDAP URLs defined. For supported
values see {xpack-ref}/ldap-realm.html#ldap-load-balancing[LDAP load balancing and failover types].
values see <<load-balancing,load balancing and failover types>>.
Defaults to `failover`.
`load_balance.cache_ttl`::
@ -200,36 +206,45 @@ this setting controls the amount of time to cache DNS lookups. Defaults
to `1h`.
`bind_dn`::
The DN of the user that will be used to bind to the LDAP and perform searches.
Only applicable in {xpack-ref}/ldap-realm.html#ldap-user-search[user search mode].
If this is not specified, an anonymous bind will be attempted.
Defaults to Empty.
The DN of the user that is used to bind to the LDAP and perform searches.
Only applicable in user search mode.
If not specified, an anonymous bind is attempted.
Defaults to Empty. Due to its potential security impact, `bind_dn` is not
exposed via the <<cluster-nodes-info,nodes info API>>.
`bind_password`::
The password for the user that will be used to bind to the LDAP directory.
Defaults to Empty.
*Deprecated.* Use `secure_bind_password` instead.
deprecated[6.3] Use `secure_bind_password` instead. The password for the user
that is used to bind to the LDAP directory.
Defaults to Empty. Due to its potential security impact, `bind_password` is not
exposed via the <<cluster-nodes-info,nodes info API>>.
`secure_bind_password` (<<secure-settings,Secure>>)::
The password for the user that will be used to bind to the LDAP directory.
The password for the user that is used to bind to the LDAP directory.
Defaults to Empty.
`user_dn_templates`::
The DN template that replaces the user name with the string `{0}`.
This element is multivalued; you can specify multiple user contexts.
Required to operate in user template mode. Not valid
if `user_search.base_dn` is specified. For more information on
This setting is multivalued; you can specify multiple user contexts.
Required to operate in user template mode. If `user_search.base_dn` is specified,
this setting is not valid. For more information on
the different modes, see {xpack-ref}/ldap-realm.html[LDAP realms].
+
--
NOTE: If any settings starting with `user_search` are specified, the
`user_dn_templates` settings are ignored.
--
`user_group_attribute`::
Specifies the attribute to examine on the user for group membership.
The default is `memberOf`. This setting will be ignored if any
`group_search` settings are specified. Defaults to `memberOf`.
If any `group_search` settings are specified, this setting is ignored. Defaults
to `memberOf`.
`user_search.base_dn`::
Specifies a container DN to search for users. Required
to operated in user search mode. Not valid if
`user_dn_templates is specified. For more information on
to operated in user search mode. If `user_dn_templates` is specified, this
setting is not valid. For more information on
the different modes, see {xpack-ref}/ldap-realm.html[LDAP realms].
`user_search.scope`::
@ -240,18 +255,18 @@ The scope of the user search. Valid values are `sub_tree`, `one_level` or
the only user considered. Defaults to `sub_tree`.
`user_search.filter`::
Specifies the filter used to search the directory in attempt to match
Specifies the filter used to search the directory in attempts to match
an entry with the username provided by the user. Defaults to `(uid={0})`.
`{0}` is substituted with the username provided when searching.
`user_search.attribute`::
This setting is deprecated; use `user_search.filter` instead.
The attribute to match with the username presented to. Defaults to `uid`.
deprecated[5.6] Use `user_search.filter` instead.
The attribute to match with the username sent with the request. Defaults to `uid`.
`user_search.pool.enabled`::
Enables or disables connection pooling for user search. When
disabled a new connection is created for every search. The
default is `true` when `bind_dn` is provided.
Enables or disables connection pooling for user search. If set to `false`, a new
connection is created for every search. The
default is `true` when `bind_dn` is set.
`user_search.pool.size`::
The maximum number of connections to the LDAP server to allow in the
@ -259,17 +274,18 @@ connection pool. Defaults to `20`.
`user_search.pool.initial_size`::
The initial number of connections to create to the LDAP server on startup.
Defaults to `0`.
Defaults to `0`. If the LDAP server is down, values greater than `0` could cause
startup failures.
`user_search.pool.health_check.enabled`::
Flag to enable or disable a health check on LDAP connections in the connection
Enables or disables a health check on LDAP connections in the connection
pool. Connections are checked in the background at the specified interval.
Defaults to `true`.
`user_search.pool.health_check.dn`::
The distinguished name to be retrieved as part of the health check.
Defaults to the value of `bind_dn` if present, and if
not falls back to `user_search.base_dn`.
The distinguished name that is retrieved as part of the health check.
Defaults to the value of `bind_dn` if present; if
not, falls back to `user_search.base_dn`.
`user_search.pool.health_check.interval`::
The interval to perform background checks of connections in the pool.
@ -277,7 +293,7 @@ Defaults to `60s`.
`group_search.base_dn`::
The container DN to search for groups in which the user has membership. When
this element is absent, Security searches for the attribute specified by
this element is absent, {security} searches for the attribute specified by
`user_group_attribute` set on the user in order to determine group membership.
`group_search.scope`::
@ -287,30 +303,33 @@ Specifies whether the group search should be `sub_tree`, `one_level` or
`base` specifies that the `base_dn` is a group object, and that it is the
only group considered. Defaults to `sub_tree`.
`group_search.filter`::
`group_search.filter`::
Specifies a filter to use to look up a group.
When not set, the realm searches for `group`, `groupOfNames`, `groupOfUniqueNames`,
or `posixGroup` with the attributes `member`, `memberOf`, or `memberUid`. Any
instance of `{0}` in the filter is replaced by the user attribute defined in
`group_search.user_attribute`.
`group_search.user_attribute`::
Specifies the user attribute that will be fetched and provided as a parameter to
Specifies the user attribute that is fetched and provided as a parameter to
the filter. If not set, the user DN is passed into the filter. Defaults to Empty.
`unmapped_groups_as_roles`::
Takes a boolean variable. When this element is set to `true`, the names of any
LDAP groups that are not referenced in a role-mapping _file_ are used as role
names and assigned to the user. Defaults to `false`.
If set to `true`, the names of any unmapped LDAP groups are used as role names
and assigned to the user. A group is considered to be _unmapped_ if it is not
not referenced in a
{xpack-ref}/mapping-roles.html#mapping-roles-file[role-mapping file]. API-based
role mappings are not considered. Defaults to `false`.
`files.role_mapping`::
The {xpack-ref}/security-files.html[location] for the {xpack-ref}/mapping-roles.html#mapping-roles[
YAML role mapping configuration file]. Defaults to
`CONFIG_DIR/x-pack/role_mapping.yml`.
`CONFIG_DIR/role_mapping.yml`.
`follow_referrals`::
Boolean value that specifies whether Securityshould follow referrals returned
Specifies whether {security} should follow referrals returned
by the LDAP server. Referrals are URLs returned by the server that are to be
used to continue the LDAP operation (e.g. search). Defaults to `true`.
used to continue the LDAP operation (for example, search). Defaults to `true`.
`metadata`::
A list of additional LDAP attributes that should be loaded from the
@ -332,7 +351,9 @@ An `s` at the end indicates seconds, or `ms` indicates milliseconds.
Defaults to `5s` (5 seconds ).
`ssl.key`::
Path to a PEM encoded file containing the private key.
Path to a PEM encoded file containing the private key, which is used if the
LDAP server requires client authentication. `ssl.key` and `ssl.keystore.path`
cannot be used at the same time.
`ssl.key_passphrase`::
The passphrase that is used to decrypt the private key. This value is
@ -346,7 +367,9 @@ Path to a PEM encoded file containing the certificate (or certificate chain)
that will be presented to clients when they connect.
`ssl.certificate_authorities`::
List of paths to PEM encoded certificate files that should be trusted.
List of paths to PEM encoded certificate files that should be trusted.
`ssl.certificate_authorities` and `ssl.truststore.path` cannot be used at the
same time.
`ssl.keystore.path`::
The path to the Java Keystore file that contains a private key and certificate.
@ -370,7 +393,7 @@ The password for the key in the keystore. Defaults to the keystore password.
`ssl.truststore.path`::
The path to the Java Keystore file that contains the certificates to trust.
`ssl.certificate_authorities` and `ssl.truststore.path` may not be used at the same time.
`ssl.certificate_authorities` and `ssl.truststore.path` cannot be used at the same time.
`ssl.truststore.password`::
The password to the truststore.
@ -391,18 +414,19 @@ See <<ssl-tls-settings,`xpack.ssl.verification_mode`>> for an explanation of
these values.
`ssl.supported_protocols`::
Supported protocols with versions. Defaults to the value of
Supported protocols for TLS/SSL (with versions). Defaults to the value of
`xpack.ssl.supported_protocols`.
`ssl.cipher_suites`
`ssl.cipher_suites`:: Specifies the cipher suites that should be supported when
communicating with the LDAP server.
Supported cipher suites can be found in Oracle's http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html[
Java Cryptography Architecture documentation]. Defaults to the value of
`xpack.ssl.cipher_suites`.
`cache.ttl`::
Specifies the time-to-live for cached user entries (a user and its credentials
are cached for this period of time). Use the standard Elasticsearch
{ref}/common-options.html#time-units[time units]). Defaults to `20m`.
Specifies the time-to-live for cached user entries. A user and a hash of its
credentials are cached for this period of time. Use the standard {es}
<<time-units,time units>>. Defaults to `20m`.
`cache.max_users`::
Specifies the maximum number of user entries that the cache can contain.
@ -410,8 +434,8 @@ Defaults to `100000`.
`cache.hash_algo`::
(Expert Setting) Specifies the hashing algorithm that is used for the
in-memory cached user credentials (see {xpack-ref}/controlling-user-cache.html#controlling-user-cache[Cache hash algorithms]
table for all possible values). Defaults to `ssha256`.
in-memory cached user credentials. See {xpack-ref}/controlling-user-cache.html#controlling-user-cache[Cache hash algorithms]
table for all possible values. Defaults to `ssha256`.
[[ref-ad-settings]]
[float]
@ -612,8 +636,8 @@ Java Cryptography Architecture documentation]. Defaults to the value of
`xpack.ssl.cipher_suites`.
`cache.ttl`::
Specifies the time-to-live for cached user entries (user
credentials are cached for this configured period of time). Use the
Specifies the time-to-live for cached user entries. A user and a hash of its
credentials are cached for this configured period of time. Use the
standard Elasticsearch {ref}/common-options.html#time-units[time units]).
Defaults to `20m`.
@ -663,8 +687,9 @@ Specifies the {xpack-ref}/security-files.html[location] of the
Defaults to `CONFIG_DIR/x-pack/role_mapping.yml`.
`cache.ttl`::
Specifies the time-to-live for cached user entries. Use the
standard Elasticsearch {ref}/common-options.html#time-units[time units]).
Specifies the time-to-live for cached user entries. A user and a hash of its
credentials are cached for this period of time. Use the
standard {es} {ref}/common-options.html#time-units[time units]).
Defaults to `20m`.
`cache.max_users`::
@ -935,6 +960,32 @@ supported protocols for TLS/SSL.
If retrieving IDP metadata via https (see `idp.metadata.path`), specifies the
cipher suites that should be supported.
[float]
[[load-balancing]]
===== Load balancing and failover
The `load_balance.type` setting can have the following values:
* `failover`: The URLs specified are used in the order that they are specified.
The first server that can be connected to will be used for all subsequent
connections. If a connection to that server fails then the next server that a
connection can be established to will be used for subsequent connections.
* `dns_failover`: In this mode of operation, only a single URL may be specified.
This URL must contain a DNS name. The system will be queried for all IP
addresses that correspond to this DNS name. Connections to the Active Directory
or LDAP server will always be tried in the order in which they were retrieved.
This differs from `failover` in that there is no reordering of the list and if a
server has failed at the beginning of the list, it will still be tried for each
subsequent connection.
* `round_robin`: Connections will continuously iterate through the list of
provided URLs. If a server is unavailable, iterating through the list of URLs
will continue until a successful connection is made.
* `dns_round_robin`: In this mode of operation, only a single URL may be
specified. This URL must contain a DNS name. The system will be queried for all
IP addresses that correspond to this DNS name. Connections will continuously
iterate through the list of addresses. If a server is unavailable, iterating
through the list of URLs will continue until a successful connection is made.
[float]
[[ssl-tls-settings]]
==== Default TLS/SSL settings