The guide states that both "keystone.identity.backends.ldap.Identity" and "user_attribute_ignore" can be used, but as you can see below this is deprecated (and infact not working in current Newton)
==> keystone-apache-admin-error.log <==
2016-09-27 10:35:13.891436 2016-09-27 10:35:13.890 24 WARNING stevedore.named [req-01e2b673-51b3-4364-a131-ad0bb8c78e01 - - - - -] Could not load keystone.identity.backends.ldap.Identity
==> keystone.log <==
2016-09-27 10:35:13.914 24 WARNING oslo_config.cfg [req-01e2b673-51b3-4364-a131-ad0bb8c78e01 - - - - -] Option "user_attribute_ignore" from group "ldap" is deprecated for removal. Its value may be silently ignored in the future.
==> keystone-apache-admin-error.log <==
2016-09-27 10:35:13.914683 2016-09-27 10:35:13.914 24 WARNING oslo_config.cfg [req-01e2b673-51b3-4364-a131-ad0bb8c78e01 - - - - -] Option "user_attribute_ignore" from group "ldap" is deprecated for removal. Its value may be silently ignored in the future.
-----------------------------------
Release: 0.9 on 2016-09-27 12:00
SHA: 974a8b3e88ffdda8b621a6befc124d4f9ca9bdc7
Source: http://git.openstack.org/cgit/openstack/openstack-manuals/tree/doc/admin-guide/source/keystone-integrate-identity-backend-ldap.rst
URL: http://docs.openstack.org/admin-guide/keystone-integrate-identity-backend-ldap.html
A lot of the keystone bits in the admin-guide are out of date, in particular, the LDAP bits.
[1] Instruction for LDAP assignment backend can be removed. keystone-
[2] The write support for the LDAP identity backend will be removed in Ocata
[3] Instructions for PKI can be removed: keystone-
[4] The drivers should be "ldap" or "sql"
https:/
I'll propose revising this in a sprint at the next keystone meeting.