From 7a5a0e4df646d46476ec7a9fcdedd638e8781f6e Mon Sep 17 00:00:00 2001 From: asteroide Date: Wed, 2 Dec 2015 09:49:33 +0100 Subject: Update keystone to the branch stable/liberty. Change-Id: I7cce62ae4b4cbca525a7b9499285455bdd04993e --- keystone-moon/doc/source/configuration.rst | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) (limited to 'keystone-moon/doc/source/configuration.rst') diff --git a/keystone-moon/doc/source/configuration.rst b/keystone-moon/doc/source/configuration.rst index 96491660..574b26be 100644 --- a/keystone-moon/doc/source/configuration.rst +++ b/keystone-moon/doc/source/configuration.rst @@ -1637,9 +1637,9 @@ have been created. They are enabled by setting their respective flags to True. Then the attributes ``user_enabled_emulation_dn`` and ``project_enabled_emulation_dn`` may be set to specify how the enabled users and projects (tenants) are selected. These attributes work by using a -``groupOfNames`` and adding whichever users or projects (tenants) that you want -enabled to the respective group. For example, this will mark any user who is a -member of ``enabled_users`` as enabled: +``groupOfNames`` entry and adding whichever users or projects (tenants) that +you want enabled to the respective group with the ``member`` attribute. For +example, this will mark any user who is a member of ``enabled_users`` as enabled: .. code-block:: ini @@ -1651,6 +1651,12 @@ The default values for user and project (tenant) enabled emulation DN is ``cn=enabled_users,$user_tree_dn`` and ``cn=enabled_tenants,$project_tree_dn`` respectively. +If a different LDAP schema is used for group membership, it is possible to use +the ``group_objectclass`` and ``group_member_attribute`` attributes to +determine membership in the enabled emulation group by setting the +``user_enabled_emulation_use_group_config`` and +``project_enabled_emulation_use_group_config`` attributes to True. + Secure Connection ----------------- -- cgit 1.2.3-korg