Update keystone to the branch stable/liberty.

Change-Id: I7cce62ae4b4cbca525a7b9499285455bdd04993e

1 files changed, 9 insertions, 3 deletions

diff --git a/keystone-moon/doc/source/configuration.rst b/keystone-moon/doc/source/configuration.rst
index 96491660..574b26be 100644
--- a/keystone-moon/doc/source/configuration.rst
+++ b/keystone-moon/doc/source/configuration.rst
@@ -1637,9 +1637,9 @@ have been created. They are enabled by setting their respective flags to True.
 Then the attributes ``user_enabled_emulation_dn`` and
 ``project_enabled_emulation_dn`` may be set to specify how the enabled users
 and projects (tenants) are selected. These attributes work by using a
-``groupOfNames`` and adding whichever users or projects (tenants) that you want
-enabled to the respective group. For example, this will mark any user who is a
-member of ``enabled_users`` as enabled:
+``groupOfNames`` entry and adding whichever users or projects (tenants) that
+you want enabled to the respective group with the ``member`` attribute. For
+example, this will mark any user who is a member of ``enabled_users`` as enabled:
 
 .. code-block:: ini
 
@@ -1651,6 +1651,12 @@ The default values for user and project (tenant) enabled emulation DN is
 ``cn=enabled_users,$user_tree_dn`` and ``cn=enabled_tenants,$project_tree_dn``
 respectively.
 
+If a different LDAP schema is used for group membership, it is possible to use
+the ``group_objectclass`` and ``group_member_attribute`` attributes to
+determine membership in the enabled emulation group by setting the
+``user_enabled_emulation_use_group_config`` and
+``project_enabled_emulation_use_group_config`` attributes to True.
+
 Secure Connection
 -----------------