diff --git a/doc/config-reference/identity/section_keystone-sample-conf-files.xml b/doc/config-reference/identity/section_keystone-sample-conf-files.xml index 71b40a5656..4ecb6c4761 100644 --- a/doc/config-reference/identity/section_keystone-sample-conf-files.xml +++ b/doc/config-reference/identity/section_keystone-sample-conf-files.xml @@ -44,26 +44,51 @@
Domain-specific configuration Identity enables you to configure domain-specific - authentication drivers. For example, you can configure a - domain to have its own LDAP or SQL server. - By default, the option to configure domain-specific - drivers is disabled. - To enable domain-specific drivers, set these options in - [identity] section in the - keystone.conf file: + authentication drivers which allows a domain to have its + own LDAP or SQL server. +
+ Enable domain-specific drivers + By default, the option to configure domain-specific + drivers is disabled. To enable domain-specific drivers, + set these options in the keystone.conf + file: [identity] domain_specific_drivers_enabled = True domain_config_dir = /etc/keystone/domains When you enable domain-specific drivers, Identity looks in the directory for - configuration files that are named as follows: - keystone.DOMAIN_NAME.conf, - where DOMAIN_NAME is the domain - name. - Any options that you define in the domain-specific + configuration files that are named as + keystone.DOMAIN_NAME.conf. + Any domain without a domain-specific configuration + file uses options in the primary configuration file. +
+
+ Domain-specific configuration file options + Any options that you define in the domain-specific configuration file override options in the primary - configuration file for the specified domain. Any domain - without a domain-specific configuration file uses only the - options in the primary configuration file. + configuration file for the specified domain. + Domains configured for the service user or project + use the Identity API v3 to retrieve the service token. + To configure the domain for the service user, set the + following options in the [DEFAULT] section of the + /etc/keystone/domains/keystone.DOMAIN_NAME.conf + file: + admin_user_domain_id = USER_DOMAIN_ID +admin_user_domain_name = USER_DOMAIN_NAME + Replace USER_DOMAIN_ID with + the Identity service account user domain ID, and + USER_DOMAIN_NAME with the Identity + service account user domain name. + To configure the domain for the project, set the + following options in the [DEFAULT] section of the + /etc/keystone/domains/keystone.DOMAIN_NAME.conf + file: + admin_project_domain_id = PROJECT_DOMAIN_ID +admin_project_domain_name = PROJECT_DOMAIN_NAME + Replace PROJECT_DOMAIN_ID with + the Identity service account project domain ID, and + PROJECT_DOMAIN_NAME with the + Identity service account project domain name. +