Allow using ldap user_filter
diff --git a/keystone/files/keystone.domain.conf b/keystone/files/keystone.domain.conf
index 9d4a571..a433b66 100644
--- a/keystone/files/keystone.domain.conf
+++ b/keystone/files/keystone.domain.conf
@@ -14,12 +14,17 @@
user_id_attribute = uid
user_name_attribute = uid
user_mail_attribute = mail
+{%- if domain.ldap.get('read_only', True) %}
user_allow_create = false
user_allow_update = false
user_allow_delete = false
+{%- endif %}
user_enabled_attribute = nsAccountLock
user_enabled_default = False
user_enabled_invert = true
+{%- if domain.ldap.get('filter', {}).get('user', False) %}
+user_filter = {{ domain.ldap.filter.user }}
+{%- endif %}
# Group mapping
group_tree_dn = cn=groups,cn=accounts,{{ domain.ldap.suffix }}
@@ -28,9 +33,11 @@
group_name_attribute = cn
group_member_attribute = member
group_desc_attribute = description
+{%- if domain.ldap.get('read_only', True) %}
group_allow_create = false
group_allow_update = false
group_allow_delete = false
+{%- endif %}
{%- if domain.ldap.tls is defined %}