On 08/07/2013 04:38 PM, Miller, Mark M (EB SW Cloud - R&D - Corvallis)
wrote:
Hello,
I am trying to figure out what to use for the "user_enabled_*"
attributes for the HP Enterprise Directory servers. It looks like the
enabled attribute values in the keystone.conf file are expected to
have numerical values.
That stuff is from the Active Directory integration. AD does user
enabled as a bit field.
From(URL
http://docs.openstack.org/trunk/openstack-compute/admin/content/configuring-keystone-for-ldap-backend.html
:
In case that the directory server does not have an attribute enabled
of type boolean for the user, there are several configuration
parameters that can be used to extract the value from an integer
attribute like in Active Directory:
[ldap]
user_enabled_attribute = userAccountControl
user_enabled_mask = 2
user_enabled_default = 512
In this case the attribute is an integer and the enabled attribute is
listed in bit 1, so the if the mask configured /user_enabled_mask/ is
different from 0, it gets the value from the field
/user_enabled_attribute/ and it makes an ADD operation with the value
indicated on /user_enabled_mask/ and if the value matches the mask
then the account is disabled.
It also saves the value without mask to the user identity in the
attribute /enabled_nomask/. This is needed in order to set it back in
case that we need to change it to enable/disable a user because it
contains more information than the status like password expiration.
Last setting /user_enabled_mask/ is needed in order to create a
default value on the integer attribute (512 = NORMAL ACCOUNT on AD)
What if the enabled attributes from the LDAP server are not numerical
values but rather character strings?
hpStatus: Active, Deceased, Leave of Absence, Leave with Pay,
Terminated, Retired, Pending, Limited
I think this is more common in LDAP than the bit field, and thought it
was supported. No mask is required, and should probably be left
defaulted to None
How would you set the attribute enabled = 'Active'? Mind you that this
is a read only ldap connection.
user_enabled_attribute = hpStatus
user_enabled_mask = 0
user_enabled_default = "Active"
Thanks,
Mark
_______________________________________________
OpenStack-dev mailing list
[email protected]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
