diff --git a/doc/common/section_keystone_config_ldap.xml b/doc/common/section_keystone_config_ldap.xml
index bb4ba49411..38f3a71f86 100644
--- a/doc/common/section_keystone_config_ldap.xml
+++ b/doc/common/section_keystone_config_ldap.xml
@@ -3,11 +3,11 @@
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
xml:id="configuring-keystone-for-ldap-backend">
- Configure the Identity Service with an LDAP
- back-end
+ Configure the Identity Service with an LDAP back
+ end
As an alternative to the SQL database backing store, the
Identity Service can use a directory server to provide the
- Identity Service, for example:
+ Identity Service. For example:
dn: dc=AcmeExample,dc=org
dc: AcmeExample
objectClass: dcObject
@@ -49,22 +49,19 @@ role_tree_dn = ou=Roles,dc=AcmeExample,dc=com
role_objectclass = organizationalRole
The default object classes and attributes are intentionally
simple. They reflect the common standard objects according to
- the LDAP RFCs. However, in a live deployment, you can override
- the correct attributes to support a preexisting, complex
- schema. For example, in the user object, the objectClass
- posixAccount from RFC2307 is very common. If this is the
- underlying objectclass, then the uid
- field should probably be uidNumber and
- username field either
- uid or cn. To
- change these two fields, the corresponding entries in the
- Keystone configuration file are:
+ the LDAP RFCs. You can override object attributes to map to a
+ pre-existing schema. For example, RFC2307-compliant posixAccount
+ objects will commonly include the uid
+ and cn attributes. These fields can be
+ mapped to their corresponding entries in the
+ keystone.conf file:
+
[ldap]
user_id_attribute = uidNumber
user_name_attribute = cn
Depending on your deployment, you can modify a set of
allowed actions for each object type. For example, you might
- set the following options:
+ set these options:
[ldap]
user_allow_create = False
user_allow_update = False
@@ -77,7 +74,7 @@ tenant_allow_delete = True
role_allow_create = True
role_allow_update = True
role_allow_delete = True
- If the back-end provides too much output, you can filter
+ If the back end provides too much output, you can filter
users, tenants, and roles. For example:
[ldap]
user_filter = (memberof=CN=acme-users,OU=workgroups,DC=AcmeExample,DC=com)
@@ -86,8 +83,8 @@ role_filter =
If the directory server has not enabled the
boolean type for the user, you can use
configuration options to extract the value from an integer
- attribute. For example, in an Active Directory, as
- follows:
+ attribute. For example, in an Active Directory, set these
+ configuration options:
[ldap]
user_enabled_attribute = userAccountControl
user_enabled_mask = 2
@@ -132,4 +129,22 @@ role_id_attribute = cn
role_name_attribute = ou
role_member_attribute = roleOccupant
role_attribute_ignore =
+
+ Assignment
+ The Assignment feature allows a combination of LDAP and SQL
+ for Identity Service authentication and authorization.
+ Consequently, the LDAP directory authenticates users and the
+ Identity Service SQL back end authorizes their access to projects
+ and roles.
+ Enable the Assignment driver in the
+ keystone.conf file alongside the LDAP
+ driver:
+
+ [identity]
+driver = keystone.identity.backends.ldap.Identity
+
+[assignment]
+driver = keystone.assignment.backends.sql.Assignment
+
+