diff --git a/doc/common/section_keystone_config_ldap-assignments.xml b/doc/common/section_keystone_config_ldap-assignments.xml
new file mode 100644
index 0000000000..9ee3fff23a
--- /dev/null
+++ b/doc/common/section_keystone_config_ldap-assignments.xml
@@ -0,0 +1,50 @@
+
+
+Separate role authorization and user authentication
+ When you configure the Identity service to use an LDAP back
+ end, you can split authentication and authorization using the
+ Assignments feature.
+ The Assignments feature enables administrators to manage
+ project role authorization using the Identity service's own SQL
+ database, while still providing user authentication through the
+ LDAP directory.
+ To configure this:
+
+ Separating role authorization and user authentication
+ through Assignments
+
+ Configure the Identity service to authenticate users
+ through the LDAP driver. To do so, first find the
+ [identity] section in the
+ /etc/keystone/keystone.conf configuration
+ file. Then, set the driver configuration
+ key in that section to
+ keystone.identity.backends.ldap.Identity:
+
+ [identity]
+driver = keystone.identity.backends.ldap.Identity
+
+ Next, enable the Assignment driver. To do so, find the
+ [assignment] section in the
+ /etc/keystone/keystone.conf configuration
+ file. Then, set the driver configuration key in
+ that section to
+ keystone.assignment.backends.sql.Assignment:
+
+ [assignment]
+driver = keystone.assignment.backends.sql.Assignment
+
+
+ On
+ distributions that include
+ openstack-config, you can
+ configure both drivers by running the following commands instead:
+
+ # openstack-config --set /etc/keystone/keystone.conf \
+identity driver keystone.identity.backends.ldap.Identity
+# openstack-config --set /etc/keystone/keystone.conf \
+assignment driver keystone.assignment.backends.sql.Assignment
+
diff --git a/doc/common/section_keystone_config_ldap-hardening.xml b/doc/common/section_keystone_config_ldap-hardening.xml
new file mode 100644
index 0000000000..4a30c04ded
--- /dev/null
+++ b/doc/common/section_keystone_config_ldap-hardening.xml
@@ -0,0 +1,94 @@
+
+
+ Secure the OpenStack Identity service connection to an
+ LDAP back end
+ The Identity service supports the use of TLS to encrypt LDAP
+ traffic. Before configuring this, you must first verify where your
+ certificate authority file is located. For more information, see
+ .
+ Once you verify the location of your certificate authority
+ file:
+
+ Configuring TLS encryption on LDAP traffic
+
+ Open the
+ /etc/keystone/keystone.conf configuration
+ file.
+
+
+
+ Find the [ldap] section.
+
+
+ In the [ldap] section, set the
+ use_tls configuration key to
+ True. Doing so will enable TLS.
+
+
+ Configure the Identity service to use your certificate
+ authorities file. To do so, set the
+ tls_cacertfile configuration key in the
+ ldap section to the certificate authorities
+ file's path.
+
+ You can also set the tls_cacertdir
+ (also in the ldap section) to the directory
+ where all certificate authorities files are kept. If both
+ tls_cacertfile and
+ tls_cacertdir are set, then the latter will
+ be ignored.
+
+
+
+ Specify what client certificate checks to perform on
+ incoming TLS sessions from the LDAP server. To do so, set the
+ tls_req_cert configuration key in the
+ [ldap] section to demand,
+ allow, or never:
+
+
+ demand: a
+ certificate will always be requested from the LDAP server.
+ The session will be terminated if no certificate is
+ provided, or if the certificate provided cannot be
+ verified against the existing certificate authorities
+ file.
+
+ allow: a
+ certificate will always be requested from the LDAP server.
+ The session will proceed as normal even if a certificate
+ is not provided. If a certificate is provided but it
+ cannot be verified against the existing certificate
+ authorities file, the certificate will be ignored and the
+ session will proceed as normal.
+ never: a
+ certificate will never be requested.
+
+
+
+ On distributions that
+ include openstack-config, you can
+ configure TLS encryption on LDAP traffic by running the following
+ commands instead:
+
+ # openstack --config --set /etc/keystone/keystone.conf \
+ldap use_tls True
+# openstack-config --set /etc/keystone/keystone.conf \
+ldap tls_cacertfile CA_FILE
+# openstack-config --set /etc/keystone/keystone.conf \
+ldap tls_req_cert CERT_BEHAVIOR
+Where:
+
+ CA_FILE
+ is the absolute path to the certificate authorities file that
+ should be used to encrypt LDAP traffic.
+ CERT_BEHAVIOR:
+ specifies what client certificate checks to perform on an
+ incoming TLS session from the LDAP server
+ (demand, allow, or
+ never).
+
+
diff --git a/doc/common/section_keystone_config_ldap.xml b/doc/common/section_keystone_config_ldap.xml
index 38f3a71f86..c5ead268cc 100644
--- a/doc/common/section_keystone_config_ldap.xml
+++ b/doc/common/section_keystone_config_ldap.xml
@@ -129,22 +129,6 @@ role_id_attribute = cn
role_name_attribute = ou
role_member_attribute = roleOccupant
role_attribute_ignore =
-
- Assignment
- The Assignment feature allows a combination of LDAP and SQL
- for Identity Service authentication and authorization.
- Consequently, the LDAP directory authenticates users and the
- Identity Service SQL back end authorizes their access to projects
- and roles.
- Enable the Assignment driver in the
- keystone.conf file alongside the LDAP
- driver:
-
- [identity]
-driver = keystone.identity.backends.ldap.Identity
-
-[assignment]
-driver = keystone.assignment.backends.sql.Assignment
-
-
+
+