[openstack-dev] Keystone Split Backend LDAP Configuration Question
ayoung at redhat.com
Wed Aug 7 23:13:22 UTC 2013
On 08/07/2013 04:38 PM, Miller, Mark M (EB SW Cloud - R&D - Corvallis)
> I am trying to figure out what to use for the "user_enabled_*"
> attributes for the HP Enterprise Directory servers. It looks like the
> enabled attribute values in the keystone.conf file are expected to
> have numerical values.
That stuff is from the Active Directory integration. AD does user
enabled as a bit field.
> In case that the directory server does not have an attribute enabled
> of type boolean for the user, there are several configuration
> parameters that can be used to extract the value from an integer
> attribute like in Active Directory:
> user_enabled_attribute = userAccountControl
> user_enabled_mask = 2
> user_enabled_default = 512
> In this case the attribute is an integer and the enabled attribute is
> listed in bit 1, so the if the mask configured /user_enabled_mask/ is
> different from 0, it gets the value from the field
> /user_enabled_attribute/ and it makes an ADD operation with the value
> indicated on /user_enabled_mask/ and if the value matches the mask
> then the account is disabled.
> It also saves the value without mask to the user identity in the
> attribute /enabled_nomask/. This is needed in order to set it back in
> case that we need to change it to enable/disable a user because it
> contains more information than the status like password expiration.
> Last setting /user_enabled_mask/ is needed in order to create a
> default value on the integer attribute (512 = NORMAL ACCOUNT on AD)
> What if the enabled attributes from the LDAP server are not numerical
> values but rather character strings?
> hpStatus: Active, Deceased, Leave of Absence, Leave with Pay,
> Terminated, Retired, Pending, Limited
I think this is more common in LDAP than the bit field, and thought it
was supported. No mask is required, and should probably be left
defaulted to None
> How would you set the attribute enabled = 'Active'? Mind you that this
> is a read only ldap connection.
> user_enabled_attribute = hpStatus
> user_enabled_mask = 0
> user_enabled_default = "Active"
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OpenStack-dev