docs: add freeipa config
diff --git a/roles/keystone/README.md b/roles/keystone/README.md
index cb7b7c6..5ab571b 100644
--- a/roles/keystone/README.md
+++ b/roles/keystone/README.md
@@ -1 +1,41 @@
# `keystone`
+
+## Integrating with LDAP
+
+### FreeIPA
+
+You can use the following values as an example for configuring Keystone to
+use FreeIPA for the `contoso` domain inside Keystone.
+
+```yaml
+keystone_helm_values:
+ conf:
+ keystone:
+ identity:
+ domain_configurations_from_database: true
+ ks_domains:
+ contoso:
+ identity:
+ driver: ldap
+ ldap:
+ url: ldaps://ipa.contoso.com
+ user: uid=keystone,cn=users,cn=accounts,dc=contoso,dc=com
+ password: secret123
+ suffix: dc=contoso,dc=com
+ user_tree_dn: cn=users,cn=accounts,dc=contoso,dc=com
+ user_objectclass: person
+ # user_filter: (memberOf=cn=openstack,cn=groups,cn=accounts,dc=contoso,dc=com)
+ user_id_attribute: uid
+ user_name_attribute: uid
+ user_enabled_attribute: nsAccountLock
+ user_enabled_default: false
+ user_enabled_invert: true
+ group_tree_dn: cn=groups,cn=accounts,dc=contoso,dc=com
+ # group_filter: (cn=openstack-*)
+ group_name_attribute: cn
+```
+
+> **Note**
+>
+> The `user_filter` and `group_filter` are commented out because they are
+> optional if you want to limit the users and groups that Keystone will use.