Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / keystone / 467059160d486f29dc80954e47fc9c39c3d1f237^! / . / README.rst
commit467059160d486f29dc80954e47fc9c39c3d1f237[log] [tgz]
authorDzmitry Stremkouski <dstremkouski@mirantis.com>Tue Jul 30 16:16:29 2019 +0200
committerDzmitry Stremkouski <dstremkouski@mirantis.com>Tue Jul 30 17:34:16 2019 +0200
tree428e4e6610af3fbcc4a11452afa2e3e6690b1bd3
parentd363e1e4b6d1b9492bac976649bce265b6d2d89e [diff] [blame]
Ldap configuration changes:

- added new parameter: user_attribute_ignore (string) to manage it
- added new parameter: group_mapping (bool) to disable group mapping block
- fixed tests and doc for multiple ldap parameters
- done some code sugar fix: indentation

Prod-Related: PROD-32324
Change-Id: I6e73c9a55f205ce04e4a8dc91e661e0d833f6748

diff --git a/README.rst b/README.rst
index 0ec9620..ab7a965 100644
--- a/README.rst
+++ b/README.rst

@@ -199,6 +199,22 @@
         ...
 
 Keystone domain with LDAP backend, using SQL for
+role/project assignment and disabled group mapping block:
+
+.. code-block:: yaml
+
+    keystone:
+      server:
+        domain:
+          external:
+            description: "Testing domain"
+            backend: ldap
+            assignment:
+              backend: sql
+            ldap:
+              group_mapping: False
+
+Keystone domain with LDAP backend, using SQL for
 role/project assignment:
 
 .. code-block:: yaml
@@ -212,11 +228,24 @@
             assignment:
               backend: sql
             ldap:
+              group_mapping: False
               url: "ldaps://idm.domain.com"
               suffix: "dc=cloud,dc=domain,dc=com"
               # Will bind as uid=keystone,cn=users,cn=accounts,dc=cloud,dc=domain,dc=com
               uid: keystone
               password: password
+              query_scope: "sub"
+              bind_user: "CN=lab,CN=users,${keystone:server:domain:testing:ldap:suffix}"
+              filter:
+                user: "(memberOf=CN=Grp-atm-admins,CN=Users,${keystone:server:domain:testing:ldap:suffix})"
+              user_tree_dn: "CN=users,${keystone:server:domain:testing:ldap:suffix}"
+              user_id_attribute: "sAMAccountName"
+              user_name_attribute: "sAMAccountName"
+              user_pass_attribute: ""
+              user_enabled_default: 512
+              user_enabled_mask: 2
+              user_enabled_attribute: "userAccountControl"
+              user_attribute_ignore: "password,tenant_id,tenants"
 
 Use driver aliases for drivers instead of class path's: