Added possibility to set custom LDAP "user_enabled" attribute
Related-Prod: PROD-17582
Change-Id: Idda05607397145af7deaf6768f8ce4af73dcec4a
diff --git a/README.rst b/README.rst
index 8b80ef4..1d39d55 100644
--- a/README.rst
+++ b/README.rst
@@ -230,6 +230,28 @@
uid: keystone
password: password
+Using LDAP backend for default domain with "user_enabled" field emulation
+
+.. code-block:: yaml
+
+ keystone:
+ server:
+ backend: ldap
+ assignment:
+ backend: sql
+ ldap:
+ url: "ldap://idm.domain.com"
+ suffix: "ou=Openstack Service Users,o=domain.com"
+ bind_user: keystone
+ password: password
+ # Define LDAP "group" object class and "membership" attribute
+ group_objectclass: groupOfUniqueNames
+ group_member_attribute: uniqueMember
+ # User will receive "enabled" attribute basing on membership in "os-user-enabled" group
+ user_enabled_emulation: True
+ user_enabled_emulation_dn: "cn=os-user-enabled,ou=Openstack,o=domain.com"
+ user_enabled_emulation_use_group_config: True
+
Simple service endpoint definition (defaults to RegionOne)
.. code-block:: yaml
diff --git a/keystone/files/_ldap.conf b/keystone/files/_ldap.conf
index cabf873..cdba33b 100644
--- a/keystone/files/_ldap.conf
+++ b/keystone/files/_ldap.conf
@@ -37,6 +37,15 @@
{%- if ldap.get('filter', {}).get('user', False) %}
user_filter = {{ ldap.filter.user }}
{%- endif %}
+{%- if ldap.user_enabled_emulation is defined %}
+user_enabled_emulation = {{ ldap.user_enabled_emulation }}
+{%- endif %}
+{%- if ldap.user_enabled_emulation_dn is defined %}
+user_enabled_emulation_dn = {{ ldap.user_enabled_emulation_dn }}
+{%- endif %}
+{%- if ldap.user_enabled_emulation_use_group_config is defined %}
+user_enabled_emulation_use_group_config = {{ ldap.user_enabled_emulation_use_group_config }}
+{%- endif %}
# Group mapping
{%- if ldap.group_tree_dn is defined %}