Improvement for Integrate Identity with LDAP

This fix imporve Integrate Identity with LDAP section in OpenStack Cloud Administrator Guide - current. Update more additionnal configuration attributes that can be used. Seprate basic LDAP configuration, Identity backend configuration and Assignment backend configuration into three different categories. Categorize configuration options by it's character. Change-Id: I5640e9690aed962210582684e85d4e172bd265ff Closes-bug: #1368082
2015-02-12 17:22:45 +08:00 · 2015-02-12 17:22:45 +08:00 · 7bdc679023
commit 7bdc679023
parent 604fb3565b
3 changed files with 455 additions and 236 deletions
--- a/doc/common/section_keystone_config_ldap-assignments.xml
+++ b/doc/common/section_keystone_config_ldap-assignments.xml
@ -4,57 +4,137 @@
  xmlns:xlink="http://www.w3.org/1999/xlink"
  version="5.0"
  xml:id="configuring-keystone-for-ldap-backend-assignments">
-<title>Separate role authorization and user authentication</title>
-    <para>When you configure the Identity service to use LDAP back
-    ends, you can split authentication and authorization using the
-    <emphasis>Assignments</emphasis> feature.</para>
-    <para>The Assignments feature enables administrators to manage
-    project role authorization using the Identity service SQL
-    database, while still providing user authentication through the
-    LDAP directory.</para>
-    <para>To configure this:</para>
+    <title>Integrate assignment back end with LDAP</title>
+    <para>When you configure the OpenStack Identity service to use LDAP
+        servers, you can split authentication and authorization using the
+        <emphasis>assignment</emphasis> feature. Integrating the
+        assignment back end with LDAP allows administrators to use
+        projects (tenant), roles, domains, and role assignments
+        in LDAP.</para>
+    <note>
+        <para>Using LDAP as an assignment back end is not recommended.</para>
+    </note>
+    <note>
+        <para>The OpenStack Identity service does not support domain-specific
+          assignment back ends.</para>
+    </note>
+    <important>
+        <para>For OpenStack Identity assignments to access LDAP servers, you
+          must define the destination LDAP server in
+          the <filename>keystone.conf</filename> file. For more information,
+          see <xref linkend="configuring-keystone-for-ldap-backend"/>.</para>
+    </important>
    <procedure>
-        <title>Separating role authorization and user authentication
-        through Assignments</title>
-      <para>Modify the <filename>/etc/keystone/keystone.conf</filename>
-        configuration file for a single LDAP server, or
-        <filename>etc/domains/keystone.<replaceable>DOMAIN_NAME</replaceable>.conf</filename>
-        files for multiple LDAP back ends, performing the following actions:</para>
-    <step>
-        <para>Configure the Identity service to authenticate users
-        through the LDAP driver. In the <literal>[identity]</literal> section, set
-        the <literal>driver</literal> configuration key to
-        <literal>keystone.identity.backends.ldap.Identity</literal>:
-        </para>
-    <programlisting>[identity]
-driver = keystone.identity.backends.ldap.Identity</programlisting>
-    </step>
-    <step><para>Enable the Assignment driver. In the
-    <literal>[assignment]</literal> section, set the <literal>driver</literal>
-    configuration key to <literal>keystone.assignment.backends.sql.Assignment</literal>:
-    </para>
-    <programlisting>[assignment]
-driver = keystone.assignment.backends.sql.Assignment</programlisting>
-    </step>
+        <title>Integrating assignment back ends with LDAP</title>
+        <step>
+            <para>Enable the assignment driver. In the
+              <literal>[assignment]</literal> section, set the
+              <literal>driver</literal> configuration key to
+                <literal>keystone.assignment.backends.sql.Assignment</literal>:</para>
+            <programlisting language="ini">[assignment]
+#driver = keystone.assignment.backends.sql.Assignment
+driver = keystone.assignment.backends.ldap.Assignment</programlisting>
+        </step>
+        <step>
+            <para>Create the organizational units (OU) in the LDAP
+                directory, and define their corresponding location in
+                the <filename>keystone.conf</filename> file:</para>
+            <programlisting language="ini">[ldap]
+role_tree_dn =
+role_objectclass = inetOrgPerson
+
+project_tree_dn = ou=Groups,dc=example,dc=org
+project_objectclass = groupOfNames</programlisting>
+            <note>
+                <para>These schema attributes are extensible for
+                    compatibility with various schemas. For example,
+                    this entry maps to the
+                        <systemitem>groupOfNames</systemitem> attribute in
+                    Active Directory:</para>
+                <programlisting language="ini">project_objectclass = groupOfNames</programlisting>
+            </note>
+        </step>
+        <step>
+            <para>A read-only implementation is recommended for LDAP
+                integration. These permissions are applied to object
+                types in the <filename>keystone.conf</filename>
+                file:</para>
+            <programlisting language="ini">[ldap]
+role_allow_create = False
+role_allow_update = False
+role_allow_delete = False
+
+project_allow_create = False
+project_allow_update = False
+project_allow_delete = False</programlisting>
+        </step>
+        <step>
+            <para>Restart the OpenStack Identity service:</para>
+            <screen><prompt>#</prompt> <userinput>service keystone restart</userinput></screen>
+            <warning><para>During service restart, authentication and
+            authorization are unavailable.</para></warning>
+        </step>
    </procedure>
-    <para os="rhel;centos;fedora;opensuse;sles">On
-     distributions that include
-     <application>openstack-config</application>, you can
-     configure both drivers by running the following commands.</para>
-   <itemizedlist>
-     <listitem>
-       <para>For a single LDAP server:</para>
-           <screen os="rhel;centos;fedora;opensuse;sles"><prompt>#</prompt> <userinput>openstack-config --set /etc/keystone/keystone.conf \
-identity driver keystone.identity.backends.ldap.Identity</userinput>
-<prompt>#</prompt> <userinput>openstack-config --set /etc/keystone/keystone.conf \
-assignment driver keystone.assignment.backends.sql.Assignment</userinput></screen>
-     </listitem>
-     <listitem>
-       <para>For multiple LDAP back ends:</para>
-<screen os="rhel;centos;fedora;opensuse;sles"><prompt>#</prompt> <userinput>openstack-config --set /etc/keystone/keystone.conf \
-    identity driver keystone.identity.backends.ldap.Identity</userinput>
-  <prompt>#</prompt> <userinput>openstack-config --set etc/domains/keystone.<replaceable>DOMAIN_NAME</replaceable>.conf \
-    assignment driver keystone.assignment.backends.sql.Assignment</userinput></screen>
-      </listitem>
-    </itemizedlist>
+    <formalpara>
+        <title>Additional LDAP integration settings</title>
+        <para>Set these options in the
+            <filename>/etc/keystone/keystone.conf</filename>
+            file for a single LDAP server, or
+            <filename>/etc/keystone/domains/keystone.
+                <replaceable>DOMAIN_NAME</replaceable>.conf</filename>
+            files for multiple back ends.</para>
+    </formalpara>
+    <variablelist>
+        <varlistentry>
+            <term>Filters</term>
+            <listitem>
+                <para>Use filters to control the scope of data
+                    presented through LDAP.</para>
+                <programlisting language="ini">[ldap]
+project_filter = (member=cn=openstack-user,ou=workgroups,dc=example,dc=org)
+role_filter = </programlisting>
+                <warning><para>Filtering method</para></warning>
+            </listitem>
+        </varlistentry>
+        <varlistentry>
+            <term>Assignment attribute mapping</term>
+            <listitem>
+                <para>Mask account status values (include any additional
+                    attribute mappings) for compatibility with various
+                    directory services. Superfluous accounts are filtered with
+                        <systemitem>user_filter</systemitem>.</para>
+                <para>Setting attribute ignore to list of attributes
+                    stripped off on update.</para>
+                <programlisting language="ini">[ldap]
+role_id_attribute = cn
+role_name_attribute = ou
+role_member_attribute = roleOccupant
+role_additional_attribute_mapping =
+role_attribute_ignore =
+
+project_id_attribute = cn
+project_name_attribute = ou
+project_member_attribute = member
+project_desc_attribute = description
+project_enabled_attribute = enabled
+project_domain_id_attribute = businessCategory
+project_additional_attribute_mapping =
+project_attribute_ignore =</programlisting>
+            </listitem>
+        </varlistentry>
+        <varlistentry>
+            <term>Enabled emulation</term>
+            <listitem>
+                <para>An alternative method to determine if a project is
+                    enabled or not is to check if that project is a
+                    member of the emulation group.</para>
+                <para>Use DN of the group entry to hold enabled
+                    projects when using enabled emulation.</para>
+                <programlisting language="ini">[ldap]
+project_enabled_emulation = false
+project_enabled_emulation_dn = false</programlisting>
+            </listitem>
+        </varlistentry>
+    </variablelist>
 </section>
+
--- a/doc/common/section_keystone_config_ldap-identity.xml
+++ b/doc/common/section_keystone_config_ldap-identity.xml
@ -0,0 +1,232 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<section xmlns="http://docbook.org/ns/docbook"
+  xmlns:xi="http://www.w3.org/2001/XInclude"
+  xmlns:xlink="http://www.w3.org/1999/xlink"
+  version="5.0"
+  xml:id="configuring-keystone-for-ldap-backend-identity">
+
+    <title>Integrate identity back end with LDAP</title>
+    <para>The identity back end contains information for users, groups, and
+      group member lists. Integrating the identity back end with LDAP allows
+      administrators to use users and groups in LDAP.</para>
+    <important>
+        <para>For OpenStack Identity Service to access LDAP servers, you must
+            define the destination LDAP server in the
+            <filename>keystone.conf</filename> file. For more information, see
+            <xref linkend="configuring-keystone-for-ldap-backend"/>.</para>
+    </important>
+    <procedure>
+        <title>Integrating an identity back end with LDAP</title>
+        <step>
+            <para>Enable the LDAP identity driver in the
+              <filename>keystone.conf</filename> file. This allows LDAP as
+              an identity back end:</para>
+            <programlisting language="ini">[identity]
+#driver = keystone.identity.backends.sql.Identity
+driver = keystone.identity.backends.ldap.Identity</programlisting>
+        </step>
+        <step>
+            <para>Create the organizational units (OU) in the LDAP
+                directory, and define the corresponding location in
+                the <filename>keystone.conf</filename> file:</para>
+            <programlisting language="ini">[ldap]
+user_tree_dn = ou=Users,dc=example,dc=org
+user_objectclass = inetOrgPerson
+
+group_tree_dn = ou=Groups,dc=example,dc=org
+group_objectclass = groupOfNames</programlisting>
+            <note>
+                <para>These schema attributes are extensible for
+                    compatibility with various schemas. For example,
+                    this entry maps to the
+                        <systemitem>person</systemitem> attribute in
+                    Active Directory:</para>
+                <programlisting language="ini">user_objectclass = person</programlisting>
+            </note>
+        </step>
+        <step>
+            <para>A read-only implementation is recommended for LDAP
+                integration. These permissions are applied to object
+                types in the <filename>keystone.conf</filename>
+                file:</para>
+            <programlisting language="ini">[ldap]
+user_allow_create = False
+user_allow_update = False
+user_allow_delete = False
+
+group_allow_create = False
+group_allow_update = False
+group_allow_delete = False</programlisting>
+        </step>
+        <step>
+            <para>Restart the OpenStack Identity service:</para>
+            <screen><prompt>#</prompt> <userinput>service keystone restart</userinput></screen>
+            <warning><para>During service restart, authentication and
+            authorization are unavailable.</para></warning>
+        </step>
+    </procedure>
+    <procedure>
+      <title>Integrating identity with multiple back ends</title>
+      <step>
+        <para>Set the following options in the
+          <filename>/etc/keystone/keystone.conf</filename> file:</para>
+        <substeps>
+          <step>
+            <para>Enable the LDAP driver:</para>
+            <programlisting language="ini">[identity]
+#driver = keystone.identity.backends.sql.Identity
+driver = keystone.identity.backends.ldap.Identity</programlisting>
+          </step>
+          <step>
+            <para>Enable domain-specific drivers:</para>
+            <programlisting language="ini">[identity]
+domain_specific_drivers_enabled = True
+domain_config_dir = /etc/keystone/domains</programlisting>
+          </step>
+        </substeps>
+      </step>
+      <step>
+        <para>Restart the service:</para>
+        <screen><prompt>#</prompt> service keystone restart</screen>
+      </step>
+      <step>
+        <para>List the domains using the dashboard, or the OpenStackClient
+          CLI. Refer to the <link xlink:href="http://docs.openstack.org/developer/python-openstackclient/command-list.html">Command List</link>
+          for a list of OpenStackClient commands.</para>
+      </step>
+      <step>
+        <para>Create domains using OpenStack dashboard, or the
+          OpenStackClient CLI.</para>
+      </step>
+      <step>
+        <para>For each domain, create a domain-specific configuration
+          file in the <filename>/etc/keystone/domains</filename> directory.
+          Use the file naming convention <filename>keystone.<replaceable>DOMAIN_NAME</replaceable>.conf</filename>,
+          where <replaceable>DOMAIN_NAME</replaceable>
+          is the domain name assigned in the previous step.</para>
+        <note><para>The options set in the
+            <filename>/etc/keystone/domains/keystone.<replaceable>DOMAIN_NAME</replaceable>.conf</filename>
+            file will override options in the <filename>/etc/keystone/keystone.conf</filename>
+            file.</para></note>
+      </step>
+      <step>
+        <para>Define the destination LDAP server in the
+          <filename>/etc/keystone/domains/keystone.<replaceable>DOMAIN_NAME</replaceable>.conf</filename> file. For example:</para>
+        <programlisting language="ini">[ldap]
+url = ldap://localhost
+user = dc=Manager,dc=example,dc=org
+password = samplepassword
+suffix = dc=example,dc=org
+use_dumb_member = False
+allow_subtree_delete = False</programlisting>
+      </step>
+      <step>
+        <para>Create the organizational units (OU) in the LDAP
+          directories, and define their corresponding locations in
+          the <filename>/etc/keystone/domains/keystone.<replaceable>DOMAIN_NAME</replaceable>.conf</filename>
+          file. For example:</para>
+        <programlisting language="ini">[ldap]
+user_tree_dn = ou=Users,dc=example,dc=org
+user_objectclass = inetOrgPerson
+
+group_tree_dn = ou=Groups,dc=example,dc=org
+group_objectclass = groupOfNames</programlisting>
+        <note>
+          <para>These schema attributes are extensible for
+            compatibility with various schemas. For example,
+            this entry maps to the <systemitem>person</systemitem>
+            attribute in Active Directory:</para>
+          <programlisting language="ini">user_objectclass = person</programlisting>
+        </note>
+      </step>
+      <step>
+        <para>A read-only implementation is recommended for LDAP
+          integration. These permissions are applied to object
+          types in the <filename>/etc/keystone/domains/keystone.<replaceable>DOMAIN_NAME</replaceable>.conf</filename>
+          file:</para>
+        <programlisting language="ini">[ldap]
+user_allow_create = False
+user_allow_update = False
+user_allow_delete = False
+
+group_allow_create = False
+group_allow_update = False
+group_allow_delete = False</programlisting>
+      </step>
+      <step>
+        <para>Restart the OpenStack Identity service:</para>
+        <screen><prompt>#</prompt> <userinput>service keystone restart</userinput></screen>
+        <warning><para>During service restart, authentication and
+            authorization are unavailable.</para></warning>
+      </step>
+    </procedure>
+    <formalpara>
+        <title>Additional LDAP integration settings</title>
+        <para>Set these options in the
+            <filename>/etc/keystone/keystone.conf</filename>
+            file for a single LDAP server, or
+            <filename>/etc/keystone/domains/keystone.
+                <replaceable>DOMAIN_NAME</replaceable>.conf</filename>
+            files for multiple back ends.</para>
+    </formalpara>
+    <variablelist>
+        <varlistentry>
+            <term>Filters</term>
+            <listitem>
+                <para>Use filters to control the scope of data
+                    presented through LDAP.</para>
+                <programlisting language="ini">[ldap]
+user_filter = (memberof=cn=openstack-users,ou=workgroups,dc=example,dc=org)
+group_filter = </programlisting>
+            </listitem>
+        </varlistentry>
+        <varlistentry>
+            <term>Identity attribute mapping</term>
+            <listitem>
+                <para>Mask account status values (include any additional
+                    attribute mappings) for compatibility
+                    with various directory services. Superfluous
+                    accounts are filtered with
+                        <systemitem>user_filter</systemitem>.</para>
+                <para>Setting attribute ignore to list of attributes
+                    stripped off on update.</para>
+                <para>For example, you can mask Active Directory
+                    account status attributes in the
+                    <filename>keystone.conf</filename>
+                    file:</para>
+                <programlisting language="ini">[ldap]
+user_id_attribute      = cn
+user_name_attribute    = sn
+user_mail_attribute    = mail
+user_pass_attribute    = userPassword
+user_enabled_attribute = userAccountControl
+user_enabled_mask      = 2
+user_enabled_invert    = false
+user_enabled_default   = 51
+user_default_project_id_attribute =
+user_attribute_ignore = default_project_id,tenants
+user_additional_attribute_mapping =
+
+group_id_attribute     = cn
+group_name_attribute   = ou
+group_member_attribute = member
+group_desc_attribute   = description
+group_attribute_ignore =
+group_additional_attribute_mapping =</programlisting>
+            </listitem>
+        </varlistentry>
+        <varlistentry>
+            <term>Enabled emulation</term>
+            <listitem>
+                <para>An alternative method to determine if a user is
+                enabled or not is by checking if that user is a
+                 member of the emulation group.</para>
+                <para>Use DN of the group entry to hold enabled
+                    user when using enabled emulation.</para>
+                <programlisting language="ini">[ldap]
+user_enabled_emulation = false
+user_enabled_emulation_dn = false</programlisting>
+            </listitem>
+        </varlistentry>
+    </variablelist>
+</section>
--- a/doc/common/section_keystone_config_ldap.xml
+++ b/doc/common/section_keystone_config_ldap.xml
@ -5,189 +5,59 @@
  version="5.0"
  xml:id="configuring-keystone-for-ldap-backend">
    <title>Integrate Identity with LDAP</title>
-    <para>Identity Service supports integration with existing LDAP
-        directories for authentication and authorization
+    <para>The Openstack Identity Service supports integration with
+        existing LDAP directories for authentication and authorization
        services.</para>
+    <para>When the Openstack Identity service is configured to use LDAP
+        back ends, you can split authentication (using the
+        <emphasis>identity</emphasis> feature) and
+            authorization (using the
+            <emphasis>assignment</emphasis> feature).</para>
+        <para>The identity feature enables administrators to manage
+        users and groups by each domain or the Openstack Identity Service entirely.</para>
+        <para>The Assignments feature enables administrators to manage
+        project role authorization using the Openstack Identity service SQL
+        database, while providing user authentication through the
+        LDAP directory.</para>
    <important os="rhel;fedora;centos">
-        <para>For OpenStack Identity to access LDAP servers, you must
+        <para>For OpenStack Identity service to access LDAP servers, you must
            enable the <option>authlogin_nsswitch_use_ldap</option> boolean
-            value for SELinux on the Identity server. To enable and
+            value for SELinux on the Openstack Identity server. To enable and
            make the option persistent across reboots:</para>
        <screen><prompt>#</prompt> <userinput>setsebool -P authlogin_nsswitch_use_ldap</userinput></screen>
    </important>
+    <para>Identity configuration is split into two separate back ends: identity
+        (back end for users and groups) and assignments (back end for domains,
+        projects, roles, role assignments). To configure identity, set options in the
+        <filename>/etc/keystone/keystone.conf</filename> file.
+        See <xref linkend="configuring-keystone-for-ldap-backend-identity"/>
+        for identity back end configuration examples and
+        <xref linkend="configuring-keystone-for-ldap-backend-assignments"/>
+        for assignment back end configuration examples.
+        Modify these examples as needed.</para>
    <note>
-        <para>You can integrate Identity with a single LDAP
-            server, or multiple back ends using domain-specific configuration files.</para>
+        <para>Multiple back ends are supported. You can integrate the Openstack Identity service
+            with a single LDAP server (configure both identity and assignments to
+            LDAP, or set identity and assignments back end with SQL or LDAP),
+            or multiple back ends using domain-specific configuration files.</para>
    </note>
-    <procedure>
-        <title>To integrate Identity with a LDAP server</title>
-        <step>
-            <para>Enable the LDAP driver in the
-                    <filename>/etc/keystone/keystone.conf</filename> file:</para>
-            <programlisting language="ini">[identity]
-#driver = keystone.identity.backends.sql.Identity
-driver = keystone.identity.backends.ldap.Identity</programlisting>
-        </step>
-        <step>
-            <para>Define the destination LDAP server in the
-                    <filename>/etc/keystone/keystone.conf</filename> file:</para>
-            <programlisting language="ini">[ldap]
-url = ldap://localhost
-user = dc=Manager,dc=example,dc=org
-password = samplepassword
-suffix = dc=example,dc=org
-use_dumb_member = False
-allow_subtree_delete = False</programlisting>
-        </step>
-        <step>
-            <para>Create the organizational units (OU) in the LDAP
-                directory, and define their corresponding location in
-                the <filename>keystone.conf</filename> file:</para>
-            <programlisting language="ini">[ldap]
-user_tree_dn = ou=Users,dc=example,dc=org
-user_objectclass = inetOrgPerson
-
-tenant_tree_dn = ou=Groups,dc=example,dc=org
-tenant_objectclass = groupOfNames
-
-role_tree_dn = ou=Roles,dc=example,dc=org
-role_objectclass = organizationalRole</programlisting>
-            <note>
-                <para>These schema attributes are extensible for
-                    compatibility with various schemas. For example,
-                    this entry maps to the
-                        <systemitem>person</systemitem> attribute in
-                    Active Directory:</para>
-                <programlisting language="ini">user_objectclass = person</programlisting>
-            </note>
-        </step>
-        <step>
-            <para>A read-only implementation is recommended for LDAP
-                integration. These permissions are applied to object
-                types in the <filename>keystone.conf</filename>
-                file:</para>
-            <programlisting language="ini">[ldap]
-user_allow_create = False
-user_allow_update = False
-user_allow_delete = False
-
-tenant_allow_create = False
-tenant_allow_update = False
-tenant_allow_delete = False
-
-role_allow_create = False
-role_allow_update = False
-role_allow_delete = False</programlisting>
-        </step>
-        <step>
-            <para>Restart the Identity service:</para>
-            <screen><prompt>#</prompt> <userinput>service keystone restart</userinput></screen>
-            <warning><para>During service restart, authentication and
-            authorization are unavailable.</para></warning>
-        </step>
-    </procedure>
-    <procedure>
-      <title>To integrate Identity with multiple back ends</title>
-      <step>
-        <para>Set the following options in the
-          <filename>/etc/keystone/keystone.conf</filename> file:</para>
-        <substeps>
-          <step>
-            <para>Enable the LDAP driver:</para>
-            <programlisting language="ini">[identity]
-#driver = keystone.identity.backends.sql.Identity
-driver = keystone.identity.backends.ldap.Identity</programlisting>
-          </step>
-          <step>
-            <para>Enable domain-specific drivers:</para>
-            <programlisting language="ini">[identity]
-domain_specific_drivers_enabled = True
-domain_config_dir = /etc/keystone/domains</programlisting>
-          </step>
-        </substeps>
-      </step>
-      <step>
-        <para>Restart the service:</para>
-        <screen><prompt>#</prompt> service keystone restart</screen>
-      </step>
-      <step>
-        <para>List the domains using the dashboard, or the OpenStackClient
-          CLI. Refer to the <link xlink:href="http://docs.openstack.org/developer/python-openstackclient/command-list.html">Command List</link>
-          for a list of OpenStackClient commands.</para>
-      </step>
-      <step>
-        <para>Create domains using OpenStack dashboard, or the
-          OpenStackClient CLI.</para>
-      </step>
-      <step>
-        <para>For each domain, create a domain-specific configuration
-          file in the <filename>/etc/keystone/domains</filename> directory.
-          Use the file naming convention <filename>keystone.<replaceable>DOMAIN_NAME</replaceable>.conf</filename>,
-          where <replaceable>DOMAIN_NAME</replaceable>
-          is the domain name assigned in the previous step.</para>
-        <note><para>The options set in the
-            <filename>/etc/keystone/domains/keystone.<replaceable>DOMAIN_NAME</replaceable>.conf</filename>
-            file will override options in the <filename>/etc/keystone/keystone.conf</filename>
-            file.</para></note>
-      </step>
-      <step>
+    <formalpara>
+        <title>To define the destination LDAP server</title>
        <para>Define the destination LDAP server in the
-          <filename>/etc/keystone/domains/keystone.<replaceable>DOMAIN_NAME</replaceable>.conf</filename> file. For example:</para>
-        <programlisting language="ini">[ldap]
+                <filename>keystone.conf</filename> file:</para>
+    </formalpara>
+    <programlisting language="ini">[ldap]
 url = ldap://localhost
 user = dc=Manager,dc=example,dc=org
 password = samplepassword
 suffix = dc=example,dc=org
 use_dumb_member = False
 allow_subtree_delete = False</programlisting>
-      </step>
-      <step>
-        <para>Create the organizational units (OU) in the LDAP
-          directory, and define their corresponding location in
-          the <filename>/etc/keystone/domains/keystone.<replaceable>DOMAIN_NAME</replaceable>.conf</filename>
-          file. For example:</para>
+    <note>
+        <para>Configure <option>dumb_member</option> if you set <option>use_dumb_member</option> to true.</para>
        <programlisting language="ini">[ldap]
-user_tree_dn = ou=Users,dc=example,dc=org
-user_objectclass = inetOrgPerson
-
-tenant_tree_dn = ou=Groups,dc=example,dc=org
-tenant_objectclass = groupOfNames
-
-role_tree_dn = ou=Roles,dc=example,dc=org
-role_objectclass = organizationalRole</programlisting>
-        <note>
-          <para>These schema attributes are extensible for
-            compatibility with various schemas. For example,
-            this entry maps to the <systemitem>person</systemitem>
-            attribute in Active Directory:</para>
-          <programlisting language="ini">user_objectclass = person</programlisting>
-        </note>
-      </step>
-      <step>
-        <para>A read-only implementation is recommended for LDAP
-          integration. These permissions are applied to object
-          types in the <filename>/etc/keystone/domains/keystone.<replaceable>DOMAIN_NAME</replaceable>.conf</filename>
-          file:</para>
-        <programlisting language="ini">[ldap]
-user_allow_create = False
-user_allow_update = False
-user_allow_delete = False
-
-tenant_allow_create = False
-tenant_allow_update = False
-tenant_allow_delete = False
-
-role_allow_create = False
-role_allow_update = False
-role_allow_delete = False</programlisting>
-      </step>
-      <step>
-        <para>Restart the Identity service:</para>
-        <screen><prompt>#</prompt> <userinput>service keystone restart</userinput></screen>
-        <warning><para>During service restart, authentication and
-            authorization are unavailable.</para></warning>
-      </step>
-    </procedure>
+dumb_member = cn=dumb,dc=nonexistent</programlisting>
+    </note>
    <formalpara>
        <title>Additional LDAP integration settings</title>
        <para>Set these options in the
@ -197,34 +67,71 @@ role_allow_delete = False</programlisting>
    </formalpara>
    <variablelist>
        <varlistentry>
-            <term>Filters</term>
+            <term>Query option</term>
            <listitem>
-                <para>Use filters to control the scope of data
-                    presented through LDAP.</para>
+                <para>Use <option>query_scope</option>
+                    to control the scope level of data
+                    presented (search only the first level or search an entire
+                    sub-tree) through LDAP.</para>
+                <para>Use <option>page_size</option> to control the maximum
+                    results per page. A value of zero disables paging.</para>
+                <para>Use <option>alias_dereferencing</option> to control
+                    the LDAP dereferencing option for queries.</para>
+                <para>Use <option>chase_referrals</option> to override the
+                    system's default referral chasing behavior for queries.</para>
                <programlisting language="ini">[ldap]
-user_filter = (memberof=cn=openstack-users,ou=workgroups,dc=example,dc=org)
-tenant_filter =
-role_filter =</programlisting>
+query_scope = sub
+page_size = 0
+alias_dereferencing = default
+chase_referrals = </programlisting>
            </listitem>
        </varlistentry>
        <varlistentry>
-            <term>LDAP Account Status</term>
+            <term>Debug</term>
            <listitem>
-                <para>Mask account status values for compatibility
-                    with various directory services. Superfluous
-                    accounts are filtered with
-                        <systemitem>user_filter</systemitem>.</para>
-                <para>For example, you can mask Active Directory
-                    account status attributes in the
-                        <filename>keystone.conf</filename>
-                    file:</para>
+                <para>Use <option>debug_level</option> to set
+                    the LDAP debugging level for LDAP calls. A value of zero means that
+                    debugging is not enabled.</para>
                <programlisting language="ini">[ldap]
-user_enabled_attribute = userAccountControl
-user_enabled_mask      = 2
-user_enabled_default   = 512</programlisting>
+debug_level = 0</programlisting>
+                <warning><para>This value is a bitmask, consult your LDAP
+                    documentation for possible values.</para></warning>
+            </listitem>
+        </varlistentry>
+        <varlistentry>
+            <term>Connection pooling</term>
+            <listitem>
+                <para>Use <option>use_pool</option> to enable LDAP connection
+                    pooling. Configure connection pool size, maximum retry,
+                    reconnect trials, timeout (-1 indicates indefinite
+                    wait) and lifetime in seconds.</para>
+                <programlisting language="ini">[ldap]
+use_pool = true
+pool_size = 10
+pool_retry_max = 3
+pool_retry_delay = 0.1
+pool_connection_timeout = -1
+pool_connection_lifetime = 600</programlisting>
+            </listitem>
+        </varlistentry>
+        <varlistentry>
+            <term>Connection pooling for end user authentication</term>
+            <listitem>
+                <para>Use <option>use_auth_pool</option> to enable LDAP
+                    connection pooling for end user authentication.
+                    Configure connection pool size and lifetime in seconds.</para>
+                <programlisting language="ini">[ldap]
+use_auth_pool = false
+auth_pool_size = 100
+auth_pool_connection_lifetime = 60</programlisting>
            </listitem>
        </varlistentry>
    </variablelist>
+    <para>When you have finished configuration, restart the Openstack Identity service:</para>
+        <screen><prompt>#</prompt> <userinput>service keystone restart</userinput></screen>
+        <warning><para>During service restart, authentication and
+        authorization are unavailable.</para></warning>
+    <xi:include href="section_keystone_config_ldap-identity.xml"/>
    <xi:include href="section_keystone_config_ldap-assignments.xml"/>
    <xi:include href="section_keystone_config_ldap-hardening.xml"/>
 </section>