[openstack-dev] Keystone Split Backend LDAP Configuration Question
Adam Young
ayoung at redhat.com
Wed Aug 7 23:13:22 UTC 2013
On 08/07/2013 04:38 PM, Miller, Mark M (EB SW Cloud - R&D - Corvallis)
wrote:
>
> Hello,
>
> I am trying to figure out what to use for the "user_enabled_*"
> attributes for the HP Enterprise Directory servers. It looks like the
> enabled attribute values in the keystone.conf file are expected to
> have numerical values.
>
That stuff is from the Active Directory integration. AD does user
enabled as a bit field.
> From(URL
> http://docs.openstack.org/trunk/openstack-compute/admin/content/configuring-keystone-for-ldap-backend.html
> :
>
> In case that the directory server does not have an attribute enabled
> of type boolean for the user, there are several configuration
> parameters that can be used to extract the value from an integer
> attribute like in Active Directory:
>
> [ldap]
>
> user_enabled_attribute = userAccountControl
>
> user_enabled_mask = 2
>
> user_enabled_default = 512
>
> In this case the attribute is an integer and the enabled attribute is
> listed in bit 1, so the if the mask configured /user_enabled_mask/ is
> different from 0, it gets the value from the field
> /user_enabled_attribute/ and it makes an ADD operation with the value
> indicated on /user_enabled_mask/ and if the value matches the mask
> then the account is disabled.
>
> It also saves the value without mask to the user identity in the
> attribute /enabled_nomask/. This is needed in order to set it back in
> case that we need to change it to enable/disable a user because it
> contains more information than the status like password expiration.
> Last setting /user_enabled_mask/ is needed in order to create a
> default value on the integer attribute (512 = NORMAL ACCOUNT on AD)
>
> What if the enabled attributes from the LDAP server are not numerical
> values but rather character strings?
>
> hpStatus: Active, Deceased, Leave of Absence, Leave with Pay,
> Terminated, Retired, Pending, Limited
>
I think this is more common in LDAP than the bit field, and thought it
was supported. No mask is required, and should probably be left
defaulted to None
> How would you set the attribute enabled = 'Active'? Mind you that this
> is a read only ldap connection.
>
> user_enabled_attribute = hpStatus
>
> user_enabled_mask = 0
>
> user_enabled_default = "Active"
>
> Thanks,
>
> Mark
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130807/a96addb0/attachment.html>
More information about the OpenStack-dev
mailing list