support group_members_are_ids for ldap

Related-Bug: PROD-20556

Change-Id: Ib85e8e83204210b31a24c0e6989eb38595a19b58
diff --git a/README.rst b/README.rst
index c5a2ad0..2f82d11 100644
--- a/README.rst
+++ b/README.rst
@@ -272,6 +272,23 @@
           user_enabled_emulation_dn: "cn=os-user-enabled,ou=Openstack,o=domain.com"
           user_enabled_emulation_use_group_config: True
 
+If the members of the group objectclass are user IDs rather than DNs, set  group_members_are_ids to true. This is the case when using posixGroup as the group objectclass and OpenDirectory.
+
+.. code-block:: yaml
+
+    keystone:
+      server:
+        backend: ldap
+        assignment:
+          backend: sql
+        ldap:
+          url: "ldaps://idm.domain.com"
+          suffix: "dc=cloud,dc=domain,dc=com"
+          # Will bind as uid=keystone,cn=users,cn=accounts,dc=cloud,dc=domain,dc=com
+          uid: keystone
+          password: password
+          group_members_are_ids: True
+
 Simple service endpoint definition (defaults to RegionOne)
 
 .. code-block:: yaml
diff --git a/keystone/files/_ldap.conf b/keystone/files/_ldap.conf
index cdba33b..595ccd1 100644
--- a/keystone/files/_ldap.conf
+++ b/keystone/files/_ldap.conf
@@ -66,6 +66,9 @@
 {%- if ldap.get('filter', {}).get('group', False) %}
 group_filter = {{ ldap.filter.group }}
 {%- endif %}
+{%- if ldap.group_members_are_ids is defined  %}
+group_members_are_ids = {{ ldap.group_members_are_ids }}
+{%- endif %}
 
 {%- if ldap.tls is defined %}