Hello, I am trying to figure out what to use for the "user_enabled_*" attributes for the HP Enterprise Directory servers. It looks like the enabled attribute values in the keystone.conf file are expected to have numerical values.
From(URL http://docs.openstack.org/trunk/openstack-compute/admin/content/configuring-keystone-for-ldap-backend.html : In case that the directory server does not have an attribute enabled of type boolean for the user, there are several configuration parameters that can be used to extract the value from an integer attribute like in Active Directory: [ldap] user_enabled_attribute = userAccountControl user_enabled_mask = 2 user_enabled_default = 512 In this case the attribute is an integer and the enabled attribute is listed in bit 1, so the if the mask configured user_enabled_mask is different from 0, it gets the value from the field user_enabled_attribute and it makes an ADD operation with the value indicated on user_enabled_mask and if the value matches the mask then the account is disabled. It also saves the value without mask to the user identity in the attribute enabled_nomask. This is needed in order to set it back in case that we need to change it to enable/disable a user because it contains more information than the status like password expiration. Last setting user_enabled_mask is needed in order to create a default value on the integer attribute (512 = NORMAL ACCOUNT on AD) What if the enabled attributes from the LDAP server are not numerical values but rather character strings? hpStatus: Active, Deceased, Leave of Absence, Leave with Pay, Terminated, Retired, Pending, Limited How would you set the attribute enabled = 'Active'? Mind you that this is a read only ldap connection. user_enabled_attribute = hpStatus user_enabled_mask = 0 user_enabled_default = "Active" Thanks, Mark
_______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
