Support using ldap identity backend

config.yaml

@@ -117,6 +117,10 @@ options:
     type: string
     default: None
     description: "comma sperated options for ldap configuration"
+  ldap-readonly:
+    type: boolean
+    default: True
+    description: "Ldap identity server backend readonly to keystone"
   # HA configuration settings
   vip:
     type: string

hooks/keystone_context.py

@@ -108,6 +108,7 @@ class KeystoneContext(context.OSContextGenerator):
             ctxt['ldap_user'] = config('ldap-user')
             ctxt['ldap_password'] = config('ldap-password')
             ctxt['ldap_suffix'] = config('ldap-suffix')
+            ctxt['ldap_readonly'] = config('ldap-readonly')
             ldap_flags = config('ldap-config-flags')
             if ldap_flags:
                 flags = context.config_flags_parser(ldap_flags)

templates/icehouse/keystone.conf

@@ -80,4 +80,21 @@ suffix = {{ ldap_suffix }}
 {% endfor -%} 
 {% endif -%} 
 
+{% if ldap_readonly -%}
+user_allow_create = False
+user_allow_update = False
+user_allow_delete = False
+
+tenant_allow_create = False
+tenant_allow_update = False
+tenant_allow_delete = False
+
+role_allow_create = False
+role_allow_update = False
+role_allow_delete = False
+
+group_allow_create = False
+group_allow_update = False
+group_allow_delete = False
+{% endif -%}
 {% endif -%}