From 05160e6cd8f3f2e3dd00ef359f9ca430cccfa873 Mon Sep 17 00:00:00 2001 From: Lisa Cawley Date: Mon, 30 Apr 2018 08:04:15 -0700 Subject: [PATCH] [DOCS] Removes redundant LDAP realm settings (#30193) --- .../authentication/ldap-realm.asciidoc | 202 +----------------- .../en/settings/security-settings.asciidoc | 167 ++++++++++----- 2 files changed, 111 insertions(+), 258 deletions(-) diff --git a/x-pack/docs/en/security/authentication/ldap-realm.asciidoc b/x-pack/docs/en/security/authentication/ldap-realm.asciidoc index bd32c496228..15b014183aa 100644 --- a/x-pack/docs/en/security/authentication/ldap-realm.asciidoc +++ b/x-pack/docs/en/security/authentication/ldap-realm.asciidoc @@ -137,211 +137,13 @@ The `load_balance.type` setting can be used at the realm level to configure how {security} should interact with multiple LDAP servers. {security} supports both failover and load balancing modes of operation. -.Load Balancing and Failover Types -|======================= -| Type | | | Description -| `failover` | | | The URLs specified are used in the order that they are specified. - The first server that can be connected to will be used for all - subsequent connections. If a connection to that server fails then - the next server that a connection can be established to will be - used for subsequent connections. -| `dns_failover` | | | In this mode of operation, only a single URL may be specified. - This URL must contain a DNS name. The system will be queried for - all IP addresses that correspond to this DNS name. Connections to - the LDAP server will always be tried in the order in which they - were retrieved. This differs from `failover` in that there is no - reordering of the list and if a server has failed at the beginning - of the list, it will still be tried for each subsequent connection. -| `round_robin` | | | Connections will continuously iterate through the list of provided - URLs. If a server is unavailable, iterating through the list of - URLs will continue until a successful connection is made. -| `dns_round_robin` | | | In this mode of operation, only a single URL may be specified. This - URL must contain a DNS name. The system will be queried for all IP - addresses that correspond to this DNS name. Connections will - continuously iterate through the list of addresses. If a server is - unavailable, iterating through the list of URLs will continue until - a successful connection is made. -|======================= +See {ref}/security-settings.html#load-balancing[Load Balancing and Failover Settings]. [[ldap-settings]] ===== LDAP Realm Settings -.Common LDAP Realm Settings -[cols="4,^3,10"] -|======================= -| Setting | Required | Description -| `type` | yes | Indicates the realm type. Must be set to `ldap`. -| `order` | no | Indicates the priority of this realm within the realm - chain. Realms with a lower order are consulted first. - Although not required, we recommend explicitly - setting this value when you configure multiple realms. - Defaults to `Integer.MAX_VALUE`. -| `enabled` | no | Indicates whether this realm is enabled or disabled. - Enables you to disable a realm without removing its - configuration. Defaults to `true`. -| `url` | yes | Specifies one or more LDAP URLs of the form of - `ldap[s]://:`. Multiple URLs can be - defined using a comma separated value or array syntax: - `[ "ldaps://server1:636", "ldaps://server2:636" ]`. - `ldaps` and `ldap` URL protocols cannot be mixed in - the same realm. -| `load_balance.type` | no | The behavior to use when there are multiple LDAP URLs - defined. For supported values see - <>. -| `load_balance.cache_ttl` | no | When using `dns_failover` or `dns_round_robin` as the - load balancing type, this setting controls the amount of time - to cache DNS lookups. Defaults to `1h`. -| `user_group_attribute` | no | Specifies the attribute to examine on the user for group - membership. The default is `memberOf`. This setting will - be ignored if any `group_search` settings are specified. -| `group_search.base_dn` | no | Specifies a container DN to search for groups in which - the user has membership. When this element is absent, - Security searches for the attribute specified by - `user_group_attribute` set on the user to determine - group membership. -| `group_search.scope` | no | Specifies whether the group search should be - `sub_tree`, `one_level` or `base`. `one_level` only - searches objects directly contained within the - `base_dn`. The default `sub_tree` searches all objects - contained under `base_dn`. `base` specifies that the - `base_dn` is a group object, and that it is the only - group considered. -| `group_search.filter` | no | Specifies a filter to use to lookup a group. If not - set, the realm searches for `group`, - `groupOfNames`, `groupOfUniqueNames`, or `posixGroup` with the - attributes `member`, `memberOf`, or `memberUid`. Any instance of - `{0}` in the filter is replaced by the user - attribute defined in `group_search.user_attribute` -| `group_search.user_attribute` | no | Specifies the user attribute that is fetched and - provided as a parameter to the filter. If not set, - the user DN is passed to the filter. -| `unmapped_groups_as_roles` | no | Specifies whether the names of any unmapped LDAP groups - should be used as role names and assigned to the user. - A group is considered to be _unmapped_ if it is not referenced - in any <> (API based - role-mappings are not considered). - Defaults to `false`. -| `timeout.tcp_connect` | no | Specifies the TCP connect timeout period for establishing an - LDAP connection. An `s` at the end indicates seconds, or `ms` - indicates milliseconds. Defaults to `5s` (5 seconds). -| `timeout.tcp_read` | no | Specifies the TCP read timeout period after establishing an LDAP connection. - An `s` at the end indicates seconds, or `ms` indicates milliseconds. - Defaults to `5s` (5 seconds). -| `timeout.ldap_search` | no | Specifies the LDAP Server enforced timeout period for an LDAP search. - An `s` at the end indicates seconds, or `ms` indicates milliseconds. - Defaults to `5s` (5 seconds). -| `files.role_mapping` | no | Specifies the path and file name for the - <>. - Defaults to `ES_HOME/config/x-pack/role_mapping.yml`. -| `follow_referrals` | no | Specifies whether {security} should follow referrals - returned by the LDAP server. Referrals are URLs returned by - the server that are to be used to continue the LDAP operation - (e.g. search). Defaults to `true`. -| `metadata` | no | Specifies the list of additional LDAP attributes that should - be stored in the `metadata` of an authenticated user. -| `ssl.key` | no | Specifies the path to the PEM encoded private key to use if the LDAP - server requires client authentication. `ssl.key` and `ssl.keystore.path` - may not be used at the same time. -| `ssl.key_passphrase` | no | Specifies the passphrase to decrypt the PEM encoded private key if it is encrypted. -| `ssl.certificate` | no | Specifies the path to the PEM encoded certificate (or certificate chain) that goes with the - key if the LDAP server requires client authentication. -| `ssl.certificate_authorities` | no | Specifies the paths to the PEM encoded certificate authority certificates that - should be trusted. `ssl.certificate_authorities` and `ssl.truststore.path` may not be used - at the same time. -| `ssl.keystore.path` | no | The path to the Java Keystore file that contains a private key and certificate. `ssl.key` and - `ssl.keystore.path` may not be used at the same time. -| `ssl.keystore.password` | no | The password to the keystore. -| `ssl.keystore.key_password` | no | The password for the key in the keystore. Defaults to the keystore password. -| `ssl.truststore.path` | no | The path to the Java Keystore file that contains the certificates to trust. - `ssl.certificate_authorities` and `ssl.truststore.path` may not be used at the same time. -| `ssl.truststore.password` | no | The password to the truststore. -| `ssl.verification_mode` | no | Specifies the type of verification to be performed when - connecting to a LDAP server using `ldaps`. When - set to `full`, the hostname or IP address used in the `url` - must match one of the names in the certificate or the - connection will not be allowed. Due to their potential security impact, - `ssl` settings are not exposed via the - {ref}/cluster-nodes-info.html#cluster-nodes-info[nodes info API]. - Values are `none`, `certificate`, and `full`. Defaults to `full`. - See {ref}/security-settings.html#ssl-tls-settings[`xpack.ssl.verification_mode`] - for an explanation of these values. -| `ssl.supported_protocols` | no | Specifies the supported protocols for SSL/TLS. -| `ssl.cipher_suites` | no | Specifies the cipher suites that should be supported when communicating - with the LDAP server. -| `cache.ttl` | no | Specifies the time-to-live for cached user entries. A - user's credentials are cached for this period of time. - Specify the time period using the standard Elasticsearch - {ref}/common-options.html#time-units[time units]. - Defaults to `20m`. -| `cache.max_users` | no | Specifies the maximum number of user entries that can be - stored in the cache at one time. Defaults to 100,000. -| `cache.hash_algo` | no | Specifies the hashing algorithm that is used for the - cached user credentials. See - <> for the possible - values. (Expert Setting). -|======================= - -.User Search Mode Settings -|======================= -| Setting | Required | Description -| `bind_dn` | no | The DN of the user that is used to bind to the LDAP - and perform searches. If not specified, an anonymous - bind is attempted. Due to its potential security - impact, `bind_dn` is not exposed via the - {ref}/cluster-nodes-info.html#cluster-nodes-info[nodes info API]. -| `bind_password` | no | The password for the user that is used to bind to the - LDAP directory. Due to its potential security impact, - `bind_password` is not exposed via the - {ref}/cluster-nodes-info.html#cluster-nodes-info[nodes info API]. - *Deprecated.* Use `secure_bind_password` instead. -| `secure_bind_password` | no | ({ref}/secure-settings.html[Secure]) - The password for the user that is used to bind to LDAP directory. -| `user_search.base_dn` | yes | Specifies a container DN to search for users. -| `user_search.scope` | no | The scope of the user search. Valid values are `sub_tree`, - `one_level` or `base`. `one_level` only searches objects - directly contained within the `base_dn`. `sub_tree` searches - all objects contained under `base_dn`. `base` specifies - that the `base_dn` is the user object, and that it is the - only user considered. Defaults to `sub_tree`. -| `user_search.filter` | no | Specifies the filter used to search the directory in attempt to match - an entry with the username provided by the user. Defaults to `(uid={0})`. - `{0}` is substituted with the username provided when searching. -| `user_search.attribute` | no | This setting is deprecated; use `user_search.filter` instead. - Specifies the attribute to match with the username presented - to. Defaults to `uid`. -| `user_search.pool.enabled` | no | Enables or disables connection pooling for user search. When - disabled a new connection is created for every search. The - default is `true`. -| `user_search.pool.size` | no | Specifies the maximum number of connections to the LDAP - server to allow in the connection pool. Defaults to `20`. -| `user_search.pool.initial_size` | no | The initial number of connections to create to the LDAP - server on startup. Defaults to `0`. Values greater than `0` - could cause startup failures if the LDAP server is down. -| `user_search.pool.health_check.enabled` | no | Enables or disables a health check on LDAP connections in - the connection pool. Connections are checked in the - background at the specified interval. Defaults to `true`. -| `user_search.pool.health_check.dn` | no/yes | Specifies the distinguished name to retrieve as part of - the health check. Defaults to the value of `bind_dn`. - This setting is required when `bind_dn` is not configured. -| `user_search.pool.health_check.interval` | no | How often to perform background checks of connections in - the pool. Defaults to `60s`. -|======================= - -.User Templates Mode Settings -[cols="4,^3,10"] -|======================= -| Setting | Required | Description -| `user_dn_templates` | yes | Specifies the DN template that replaces the - user name with the string `{0}`. This element - is multivalued, allowing for multiple user - contexts. -|======================= - - -NOTE: If any settings starting with `user_search` are specified, the - `user_dn_templates` the settings are ignored. - +See {ref}/security-settings.html#ref-ldap-settings[LDAP Realm Settings]. [[mapping-roles-ldap]] ==== Mapping LDAP Groups to Roles diff --git a/x-pack/docs/en/settings/security-settings.asciidoc b/x-pack/docs/en/settings/security-settings.asciidoc index 046d76784fb..97413ed07bb 100644 --- a/x-pack/docs/en/settings/security-settings.asciidoc +++ b/x-pack/docs/en/settings/security-settings.asciidoc @@ -150,9 +150,9 @@ For a native realm, the `type` must be set to `native`. In addition to the <>, you can specify the following optional settings: -`cache.ttl`:: The time-to-live for cached user entries. User credentials are -cached for this period of time. Specify the time period using the standard -{es} <>. Defaults to `20m`. +`cache.ttl`:: The time-to-live for cached user entries. A user and a hash of its +credentials are cached for this period of time. Specify the time period using +the standard {es} <>. Defaults to `20m`. `cache.max_users`:: The maximum number of user entries that can live in the cache at any given time. Defaults to 100,000. @@ -169,9 +169,9 @@ in-memory cached user credentials. For possible values, see ===== File realm settings `cache.ttl`:: -The time-to-live for cached user entries--user credentials are cached for -this configured period of time. Defaults to `20m`. Specify values using the -standard Elasticsearch {ref}/common-options.html#time-units[time units]. +The time-to-live for cached user entries. A user and a hash of its credentials +are cached for this configured period of time. Defaults to `20m`. Specify values +using the standard {es} {ref}/common-options.html#time-units[time units]. Defaults to `20m`. `cache.max_users`:: @@ -186,12 +186,18 @@ all possible values. Defaults to `ssha256`. [[ref-ldap-settings]] [float] ===== LDAP realm settings -`url`:: -An LDAP URL in the format `ldap[s]://:`. Required. + +The `type` setting must be set to `ldap`. In addition to the +<>, you can specify the following settings: + +`url`:: Specifies one or more LDAP URLs in the format +`ldap[s]://:`. Multiple URLs can be defined using a comma +separated value or array syntax: `[ "ldaps://server1:636", "ldaps://server2:636" ]`. +`ldaps` and `ldap` URL protocols cannot be mixed in the same realm. Required. `load_balance.type`:: The behavior to use when there are multiple LDAP URLs defined. For supported -values see {xpack-ref}/ldap-realm.html#ldap-load-balancing[LDAP load balancing and failover types]. +values see <>. Defaults to `failover`. `load_balance.cache_ttl`:: @@ -200,36 +206,45 @@ this setting controls the amount of time to cache DNS lookups. Defaults to `1h`. `bind_dn`:: -The DN of the user that will be used to bind to the LDAP and perform searches. -Only applicable in {xpack-ref}/ldap-realm.html#ldap-user-search[user search mode]. -If this is not specified, an anonymous bind will be attempted. -Defaults to Empty. +The DN of the user that is used to bind to the LDAP and perform searches. +Only applicable in user search mode. +If not specified, an anonymous bind is attempted. +Defaults to Empty. Due to its potential security impact, `bind_dn` is not +exposed via the <>. `bind_password`:: -The password for the user that will be used to bind to the LDAP directory. -Defaults to Empty. -*Deprecated.* Use `secure_bind_password` instead. +deprecated[6.3] Use `secure_bind_password` instead. The password for the user +that is used to bind to the LDAP directory. +Defaults to Empty. Due to its potential security impact, `bind_password` is not +exposed via the <>. + `secure_bind_password` (<>):: -The password for the user that will be used to bind to the LDAP directory. +The password for the user that is used to bind to the LDAP directory. Defaults to Empty. `user_dn_templates`:: The DN template that replaces the user name with the string `{0}`. -This element is multivalued; you can specify multiple user contexts. -Required to operate in user template mode. Not valid -if `user_search.base_dn` is specified. For more information on +This setting is multivalued; you can specify multiple user contexts. +Required to operate in user template mode. If `user_search.base_dn` is specified, +this setting is not valid. For more information on the different modes, see {xpack-ref}/ldap-realm.html[LDAP realms]. ++ +-- +NOTE: If any settings starting with `user_search` are specified, the +`user_dn_templates` settings are ignored. + +-- `user_group_attribute`:: Specifies the attribute to examine on the user for group membership. -The default is `memberOf`. This setting will be ignored if any -`group_search` settings are specified. Defaults to `memberOf`. +If any `group_search` settings are specified, this setting is ignored. Defaults +to `memberOf`. `user_search.base_dn`:: Specifies a container DN to search for users. Required -to operated in user search mode. Not valid if -`user_dn_templates is specified. For more information on +to operated in user search mode. If `user_dn_templates` is specified, this +setting is not valid. For more information on the different modes, see {xpack-ref}/ldap-realm.html[LDAP realms]. `user_search.scope`:: @@ -240,18 +255,18 @@ The scope of the user search. Valid values are `sub_tree`, `one_level` or the only user considered. Defaults to `sub_tree`. `user_search.filter`:: -Specifies the filter used to search the directory in attempt to match +Specifies the filter used to search the directory in attempts to match an entry with the username provided by the user. Defaults to `(uid={0})`. `{0}` is substituted with the username provided when searching. `user_search.attribute`:: -This setting is deprecated; use `user_search.filter` instead. -The attribute to match with the username presented to. Defaults to `uid`. +deprecated[5.6] Use `user_search.filter` instead. +The attribute to match with the username sent with the request. Defaults to `uid`. `user_search.pool.enabled`:: -Enables or disables connection pooling for user search. When -disabled a new connection is created for every search. The -default is `true` when `bind_dn` is provided. +Enables or disables connection pooling for user search. If set to `false`, a new +connection is created for every search. The +default is `true` when `bind_dn` is set. `user_search.pool.size`:: The maximum number of connections to the LDAP server to allow in the @@ -259,17 +274,18 @@ connection pool. Defaults to `20`. `user_search.pool.initial_size`:: The initial number of connections to create to the LDAP server on startup. -Defaults to `0`. +Defaults to `0`. If the LDAP server is down, values greater than `0` could cause +startup failures. `user_search.pool.health_check.enabled`:: -Flag to enable or disable a health check on LDAP connections in the connection +Enables or disables a health check on LDAP connections in the connection pool. Connections are checked in the background at the specified interval. Defaults to `true`. `user_search.pool.health_check.dn`:: -The distinguished name to be retrieved as part of the health check. -Defaults to the value of `bind_dn` if present, and if -not falls back to `user_search.base_dn`. +The distinguished name that is retrieved as part of the health check. +Defaults to the value of `bind_dn` if present; if +not, falls back to `user_search.base_dn`. `user_search.pool.health_check.interval`:: The interval to perform background checks of connections in the pool. @@ -277,7 +293,7 @@ Defaults to `60s`. `group_search.base_dn`:: The container DN to search for groups in which the user has membership. When -this element is absent, Security searches for the attribute specified by +this element is absent, {security} searches for the attribute specified by `user_group_attribute` set on the user in order to determine group membership. `group_search.scope`:: @@ -287,30 +303,33 @@ Specifies whether the group search should be `sub_tree`, `one_level` or `base` specifies that the `base_dn` is a group object, and that it is the only group considered. Defaults to `sub_tree`. -`group_search.filter`:: +`group_search.filter`:: +Specifies a filter to use to look up a group. When not set, the realm searches for `group`, `groupOfNames`, `groupOfUniqueNames`, or `posixGroup` with the attributes `member`, `memberOf`, or `memberUid`. Any instance of `{0}` in the filter is replaced by the user attribute defined in `group_search.user_attribute`. `group_search.user_attribute`:: -Specifies the user attribute that will be fetched and provided as a parameter to +Specifies the user attribute that is fetched and provided as a parameter to the filter. If not set, the user DN is passed into the filter. Defaults to Empty. `unmapped_groups_as_roles`:: -Takes a boolean variable. When this element is set to `true`, the names of any -LDAP groups that are not referenced in a role-mapping _file_ are used as role -names and assigned to the user. Defaults to `false`. +If set to `true`, the names of any unmapped LDAP groups are used as role names +and assigned to the user. A group is considered to be _unmapped_ if it is not +not referenced in a +{xpack-ref}/mapping-roles.html#mapping-roles-file[role-mapping file]. API-based +role mappings are not considered. Defaults to `false`. `files.role_mapping`:: The {xpack-ref}/security-files.html[location] for the {xpack-ref}/mapping-roles.html#mapping-roles[ YAML role mapping configuration file]. Defaults to -`CONFIG_DIR/x-pack/role_mapping.yml`. +`CONFIG_DIR/role_mapping.yml`. `follow_referrals`:: -Boolean value that specifies whether Securityshould follow referrals returned +Specifies whether {security} should follow referrals returned by the LDAP server. Referrals are URLs returned by the server that are to be -used to continue the LDAP operation (e.g. search). Defaults to `true`. +used to continue the LDAP operation (for example, search). Defaults to `true`. `metadata`:: A list of additional LDAP attributes that should be loaded from the @@ -332,7 +351,9 @@ An `s` at the end indicates seconds, or `ms` indicates milliseconds. Defaults to `5s` (5 seconds ). `ssl.key`:: -Path to a PEM encoded file containing the private key. +Path to a PEM encoded file containing the private key, which is used if the +LDAP server requires client authentication. `ssl.key` and `ssl.keystore.path` +cannot be used at the same time. `ssl.key_passphrase`:: The passphrase that is used to decrypt the private key. This value is @@ -346,7 +367,9 @@ Path to a PEM encoded file containing the certificate (or certificate chain) that will be presented to clients when they connect. `ssl.certificate_authorities`:: -List of paths to PEM encoded certificate files that should be trusted. +List of paths to PEM encoded certificate files that should be trusted. +`ssl.certificate_authorities` and `ssl.truststore.path` cannot be used at the +same time. `ssl.keystore.path`:: The path to the Java Keystore file that contains a private key and certificate. @@ -370,7 +393,7 @@ The password for the key in the keystore. Defaults to the keystore password. `ssl.truststore.path`:: The path to the Java Keystore file that contains the certificates to trust. -`ssl.certificate_authorities` and `ssl.truststore.path` may not be used at the same time. +`ssl.certificate_authorities` and `ssl.truststore.path` cannot be used at the same time. `ssl.truststore.password`:: The password to the truststore. @@ -391,18 +414,19 @@ See <> for an explanation of these values. `ssl.supported_protocols`:: -Supported protocols with versions. Defaults to the value of +Supported protocols for TLS/SSL (with versions). Defaults to the value of `xpack.ssl.supported_protocols`. -`ssl.cipher_suites` +`ssl.cipher_suites`:: Specifies the cipher suites that should be supported when +communicating with the LDAP server. Supported cipher suites can be found in Oracle's http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html[ Java Cryptography Architecture documentation]. Defaults to the value of `xpack.ssl.cipher_suites`. `cache.ttl`:: -Specifies the time-to-live for cached user entries (a user and its credentials -are cached for this period of time). Use the standard Elasticsearch -{ref}/common-options.html#time-units[time units]). Defaults to `20m`. +Specifies the time-to-live for cached user entries. A user and a hash of its +credentials are cached for this period of time. Use the standard {es} +<>. Defaults to `20m`. `cache.max_users`:: Specifies the maximum number of user entries that the cache can contain. @@ -410,8 +434,8 @@ Defaults to `100000`. `cache.hash_algo`:: (Expert Setting) Specifies the hashing algorithm that is used for the -in-memory cached user credentials (see {xpack-ref}/controlling-user-cache.html#controlling-user-cache[Cache hash algorithms] -table for all possible values). Defaults to `ssha256`. +in-memory cached user credentials. See {xpack-ref}/controlling-user-cache.html#controlling-user-cache[Cache hash algorithms] +table for all possible values. Defaults to `ssha256`. [[ref-ad-settings]] [float] @@ -612,8 +636,8 @@ Java Cryptography Architecture documentation]. Defaults to the value of `xpack.ssl.cipher_suites`. `cache.ttl`:: -Specifies the time-to-live for cached user entries (user -credentials are cached for this configured period of time). Use the +Specifies the time-to-live for cached user entries. A user and a hash of its +credentials are cached for this configured period of time. Use the standard Elasticsearch {ref}/common-options.html#time-units[time units]). Defaults to `20m`. @@ -663,8 +687,9 @@ Specifies the {xpack-ref}/security-files.html[location] of the Defaults to `CONFIG_DIR/x-pack/role_mapping.yml`. `cache.ttl`:: -Specifies the time-to-live for cached user entries. Use the -standard Elasticsearch {ref}/common-options.html#time-units[time units]). +Specifies the time-to-live for cached user entries. A user and a hash of its +credentials are cached for this period of time. Use the +standard {es} {ref}/common-options.html#time-units[time units]). Defaults to `20m`. `cache.max_users`:: @@ -935,6 +960,32 @@ supported protocols for TLS/SSL. If retrieving IDP metadata via https (see `idp.metadata.path`), specifies the cipher suites that should be supported. +[float] +[[load-balancing]] +===== Load balancing and failover + +The `load_balance.type` setting can have the following values: + +* `failover`: The URLs specified are used in the order that they are specified. +The first server that can be connected to will be used for all subsequent +connections. If a connection to that server fails then the next server that a +connection can be established to will be used for subsequent connections. +* `dns_failover`: In this mode of operation, only a single URL may be specified. +This URL must contain a DNS name. The system will be queried for all IP +addresses that correspond to this DNS name. Connections to the Active Directory +or LDAP server will always be tried in the order in which they were retrieved. +This differs from `failover` in that there is no reordering of the list and if a +server has failed at the beginning of the list, it will still be tried for each +subsequent connection. +* `round_robin`: Connections will continuously iterate through the list of +provided URLs. If a server is unavailable, iterating through the list of URLs +will continue until a successful connection is made. +* `dns_round_robin`: In this mode of operation, only a single URL may be +specified. This URL must contain a DNS name. The system will be queried for all +IP addresses that correspond to this DNS name. Connections will continuously +iterate through the list of addresses. If a server is unavailable, iterating +through the list of URLs will continue until a successful connection is made. + [float] [[ssl-tls-settings]] ==== Default TLS/SSL settings