support group_members_are_ids for ldap
Related-Bug: PROD-20556
Change-Id: Ib85e8e83204210b31a24c0e6989eb38595a19b58
diff --git a/README.rst b/README.rst
index c5a2ad0..2f82d11 100644
--- a/README.rst
+++ b/README.rst
@@ -272,6 +272,23 @@
user_enabled_emulation_dn: "cn=os-user-enabled,ou=Openstack,o=domain.com"
user_enabled_emulation_use_group_config: True
+If the members of the group objectclass are user IDs rather than DNs, set group_members_are_ids to true. This is the case when using posixGroup as the group objectclass and OpenDirectory.
+
+.. code-block:: yaml
+
+ keystone:
+ server:
+ backend: ldap
+ assignment:
+ backend: sql
+ ldap:
+ url: "ldaps://idm.domain.com"
+ suffix: "dc=cloud,dc=domain,dc=com"
+ # Will bind as uid=keystone,cn=users,cn=accounts,dc=cloud,dc=domain,dc=com
+ uid: keystone
+ password: password
+ group_members_are_ids: True
+
Simple service endpoint definition (defaults to RegionOne)
.. code-block:: yaml
diff --git a/keystone/files/_ldap.conf b/keystone/files/_ldap.conf
index cdba33b..595ccd1 100644
--- a/keystone/files/_ldap.conf
+++ b/keystone/files/_ldap.conf
@@ -66,6 +66,9 @@
{%- if ldap.get('filter', {}).get('group', False) %}
group_filter = {{ ldap.filter.group }}
{%- endif %}
+{%- if ldap.group_members_are_ids is defined %}
+group_members_are_ids = {{ ldap.group_members_are_ids }}
+{%- endif %}
{%- if ldap.tls is defined %}