diff --git a/doc/source/configuration.rst b/doc/source/configuration.rst index 899cfceac5..b13b5c999f 100644 --- a/doc/source/configuration.rst +++ b/doc/source/configuration.rst @@ -1332,6 +1332,31 @@ specified classes in the LDAP module so you can configure them like:: role_member_attribute = roleOccupant role_attribute_ignore = + +Enabled Emulation +----------------- + +Some directory servers do not provide any enabled attribute. For these +servers, the ``user_enabled_emulation`` and ``tenant_enabled_emulation`` +attributes have been created. They are enabled by setting their respective +flags to True. Then the attributes ``user_enabled_emulation_dn`` and +``tenant_enabled_emulation_dn`` may be set to specify how the enabled users +and projects (tenants) are selected. These attributes work by using a +``groupOfNames`` and adding whichever users or projects (tenants) that +you want enabled to the respective group. For example, this will +mark any user who is a member of ``enabled_users`` as enabled:: + + [ldap] + user_enabled_emulation = True + user_enabled_emulation_dn = cn=enabled_users,cn=groups,dc=openstack,dc=org + +The default values for user and project (tenant) enabled emulation DN is +``cn=enabled_users,$user_tree_dn`` and ``cn=enabled_tenants,$tenant_tree_dn`` +respectively. + +Secure Connection +----------------- + If you are using a directory server to provide the Identity service, it is strongly recommended that you utilize a secure connection from Keystone to the directory server. In addition to supporting ldaps, Keystone diff --git a/keystone/common/ldap/core.py b/keystone/common/ldap/core.py index 1e7d141b31..a90ded3d77 100644 --- a/keystone/common/ldap/core.py +++ b/keystone/common/ldap/core.py @@ -675,10 +675,10 @@ class EnabledEmuMixIn(BaseLdap): * $name_enabled_emulation - boolean, on/off * $name_enabled_emulation_dn - DN of that groupOfNames, default is - cn=enabled_$name,$tree_dn + cn=enabled_${name}s,${tree_dn} - Where $name is self.options_name ('user' or 'tenant'), $tree_dn is - self.tree_dn. + Where ${name}s is the plural of self.options_name ('users' or 'tenants'), + ${tree_dn} is self.tree_dn. """ def __init__(self, conf):