If you're using the domain config api via `keystone-manage domain_config_upload, it will fail because [ldap]/group_members_are_ids isn't in the whitelisted options [0]. There doesn't seem to be valid case to not have `CONF [ldap] group_members_are_ids` in the whitelist, as it seems like something that could be different per domain.
[0] https://github.com/openstack/keystone/blob/b43337413022583ca2e1c509c4fd23b384da0b2c/keystone/resource/core.py#L894-L917
Trace:
# keystone-manage domain_config_upload --all
Option "verbose" from group "DEFAULT" is deprecated for removal. Its value may be silently ignored in the future.
2017-03-06 15:24:55.216 14676 WARNING keystone.cmd.cli [-] Deprecated: keystone-manage domain_config_upload is deprecated as of Newton in favor of setting domain config options via the API and may be removed in 'P' release.
2017-03-06 15:24:55.569 14676 INFO keystone.cmd.cli [-] Scanning '/etc/keystone/domains' for domain config files
2017-03-06 15:24:55.583 14676 ERROR keystone.cmd.cli [req-54e29fe9-0be4-43b4-a5d0-99d4e281596b - - - - -] Error processing config file for domain: ldap_users, file: /etc/keystone/domains/keystone.ldap_users.conf, error: Invalid domain specific configuration: Option group_members_are_ids in group ldap is not supported for domain specific configurations
2017-03-06 15:24:55.583 14676 ERROR keystone.cmd.cli Traceback (most recent call last):
2017-03-06 15:24:55.583 14676 ERROR keystone.cmd.cli File "/usr/lib/python2.7/site-packages/keystone/cmd/cli.py", line 979, in _upload_config_to_database
2017-03-06 15:24:55.583 14676 ERROR keystone.cmd.cli sections)
2017-03-06 15:24:55.583 14676 ERROR keystone.cmd.cli File "/usr/lib/python2.7/site-packages/keystone/common/manager.py", line 124, in wrapped
2017-03-06 15:24:55.583 14676 ERROR keystone.cmd.cli __ret_val = __f(*args, **kwargs)
2017-03-06 15:24:55.583 14676 ERROR keystone.cmd.cli File "/usr/lib/python2.7/site-packages/keystone/resource/core.py", line 1131, in create_config
2017-03-06 15:24:55.583 14676 ERROR keystone.cmd.cli self._assert_valid_config(config)
2017-03-06 15:24:55.583 14676 ERROR keystone.cmd.cli File "/usr/lib/python2.7/site-packages/keystone/resource/core.py", line 1021, in _assert_valid_config
2017-03-06 15:24:55.583 14676 ERROR keystone.cmd.cli self._assert_valid_group_and_option(group, option)
2017-03-06 15:24:55.583 14676 ERROR keystone.cmd.cli File "/usr/lib/python2.7/site-packages/keystone/resource/core.py", line 1057, in _assert_valid_group_and_option
2017-03-06 15:24:55.583 14676 ERROR keystone.cmd.cli raise exception.InvalidDomainConfig(reason=msg)
2017-03-06 15:24:55.583 14676 ERROR keystone.cmd.cli InvalidDomainConfig: Invalid domain specific configuration: Option group_members_are_ids in group ldap is not supported for domain specific configurations
2017-03-06 15:24:55.583 14676 ERROR keystone.cmd.cli
Fix proposed to branch: master
Review: https:/