The keystone-ldap charm should explicitly specify necessary ldap configuration values which are currently being set as part of ldap-config-flags. This creates a template for proper configuration which can then be enforced by the charm, and also increases charm usability in the case of a user that might be less experienced with ldap configuration.
Certain required configs, such as user_filter, user name attribute, user id attribute, group tree dn, group name attribute, group id attribute definitely need to be explicitly set in config.yaml, though other frequently used values should be included as well, with a suggested list below:
query_scope - default to 'sub'
user_tree_dn: default to 'ou=users,dc=example,dc=com'
user_filter: default to '(memberof=cn=openstack_group,ou=groups,dc=example,dc=com)'
user_name_attributes: default to uid
user_id_attribute: default to uidNumber
user_objectclass: default to posixAccount
group_tree_dn: default to 'ou=groups,dc=example,dc=com'
group_objectclass: default to 'posixGroup'
group_id_attributes: default to 'gidNumber'
user_enabled_emulation | user_enabled_emulation_dn | user_enabled_attribute | user_enabled_flags | user_enabled_attribute_reverse (spelling on some of these unknown) should be something the charm handles consciously.
The full list of ldap config values can be found at https://docs.openstack.org/keystone/pike/admin/identity-integrate-with-ldap.html
Thanks Alex, this would be a nice addition to the charm.