From 14b021261e4dead89720dd4f7c06d7a99685d61b Mon Sep 17 00:00:00 2001
From: Pierre Riteau <pierre@stackhpc.com>
Date: Tue, 11 Feb 2025 13:05:29 +0100
Subject: [PATCH] Document breaking Keystone LDAP TLS change

---
 doc/source/operations/upgrading-openstack.rst | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/doc/source/operations/upgrading-openstack.rst b/doc/source/operations/upgrading-openstack.rst
index 1d2978a78..b04850961 100644
--- a/doc/source/operations/upgrading-openstack.rst
+++ b/doc/source/operations/upgrading-openstack.rst
@@ -167,6 +167,15 @@ Support for the ``AvailabilityZoneFilter`` filter has been dropped in Nova.
 Remove it from any Nova config files before upgrading. It will cause errors in
 Caracal and halt the Nova scheduler.
 
+Keystone LDAP TLS configuration
+-------------------------------
+
+Either ``[ldap] tls_cacertfile`` or ``[ldap] tls_cacertdir`` must be configured
+if ``[ldap] use_tls`` is true or LDAP URL uses the ``ldaps://`` scheme. LDAP
+authentication will fail if this configuration is absent. See `upstream
+Keystone change <https://review.opendev.org/c/openstack/keystone/+/833876>`__
+for more details.
+
 Known issues
 ============