How to reproduce:
$ juju deploy cs:~openstack-charmers-next/keystone
Located charm "cs:~openstack-charmers-next/keystone-306".
Deploying charm "cs:~openstack-charmers-next/keystone-306".
$ juju deploy cs:~openstack-charmers-next/keystone-ldap
Located charm "cs:~openstack-charmers-next/keystone-ldap-14".
Deploying charm "cs:~openstack-charmers-next/keystone-ldap-14".
$ juju config keystone-ldap \
domain-name=mydomain.example.com \
ldap-server=ldap://localhost/ \
ldap-user='cn=admin,dc=mydomain,dc=test,dc=com' \
ldap-password=secret \
ldap-suffix='dc=mydomain,dc=example,dc=com' \
ldap-config-flags='{query_scope: sub, user_objectclass: person}'
$ juju add-relation keystone keystone-ldap
$ juju run --unit keystone/0 'cat /etc/keystone/domains/keystone.mydomain.example.com.conf'
[ldap]
url = ldap://localhost/
user = cn=admin,dc=mydomain,dc=test,dc=com
password = secret
suffix = dc=mydomain,dc=example,dc=com
user_allow_create = False
user_allow_update = False
user_allow_delete = False
group_allow_create = False
group_allow_update = False
group_allow_delete = False
# User supplied configuration flags
query_scope = sub
user_objectclass = person
[identity]
driver = ldap
ldap-config-flags has been reflected at the deployment, however, I cannot add page_size=10 by the following command. config-changed flag was run, but no "page_size" in /etc/keystone/domains/keystone.mydomain.example.com.conf.
$ juju config ldap-config-flags='{query_scope: sub, user_objectclass: person, page_size: 10}'
Immutable domain-name should be fine, but tweaking ldap-config-flags may be necessary after a deployment.