[openstack-dev] Keystone Split Backend LDAP Configuration Question

Adam Young ayoung at redhat.com
Wed Aug 7 23:13:22 UTC 2013

On 08/07/2013 04:38 PM, Miller, Mark M (EB SW Cloud - R&D - Corvallis) 
> Hello,
> I am trying to figure out what to use for the "user_enabled_*" 
> attributes for the HP Enterprise Directory servers. It looks like the 
> enabled attribute values in the keystone.conf file are expected to 
> have numerical values.
That stuff is from the Active Directory integration. AD does user 
enabled as a bit field.

> From(URL 
> http://docs.openstack.org/trunk/openstack-compute/admin/content/configuring-keystone-for-ldap-backend.html 
> :
> In case that the directory server does not have an attribute enabled 
> of type boolean for the user, there are several configuration 
> parameters that can be used to extract the value from an integer 
> attribute like in Active Directory:
> [ldap]
> user_enabled_attribute = userAccountControl
> user_enabled_mask = 2
> user_enabled_default = 512
> In this case the attribute is an integer and the enabled attribute is 
> listed in bit 1, so the if the mask configured /user_enabled_mask/ is 
> different from 0, it gets the value from the field 
> /user_enabled_attribute/ and it makes an ADD operation with the value 
> indicated on /user_enabled_mask/ and if the value matches the mask 
> then the account is disabled.
> It also saves the value without mask to the user identity in the 
> attribute /enabled_nomask/. This is needed in order to set it back in 
> case that we need to change it to enable/disable a user because it 
> contains more information than the status like password expiration. 
> Last setting /user_enabled_mask/ is needed in order to create a 
> default value on the integer attribute (512 = NORMAL ACCOUNT on AD)
> What if the enabled attributes from the LDAP server are not numerical 
> values but rather character strings?
> hpStatus: Active, Deceased, Leave of Absence, Leave with Pay, 
> Terminated, Retired, Pending, Limited
I think this is more common in LDAP than the bit field, and thought it 
was supported.  No mask is required, and should probably be left 
defaulted to None

> How would you set the attribute enabled = 'Active'? Mind you that this 
> is a read only ldap connection.
> user_enabled_attribute = hpStatus
> user_enabled_mask = 0
> user_enabled_default = "Active"
> Thanks,
> Mark

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130807/a96addb0/attachment.html>

More information about the OpenStack-dev mailing list