OpenStack-Ansible

Issue with Keystone LDAP Multidomain: "Add LDAP domains" tasks are skipped despite valid config

Asked by Salvatore Aurnia

Hi everyone,

I am encountering an issue configuring a specific domain (testbed) backed by LDAP in Keystone using OpenStack-Ansible. Despite defining the keystone_ldap_domains list in user_variables.yml, the playbook completes successfully but skips the tasks responsible for creating the domain configuration files. Consequently, the file /etc/keystone/domains/keystone.testbed.conf is never created inside the container.

Environment:

    OpenStack-Ansible Version: [2025.1]

    OS: Ubuntu 24.04 (LXC Containers)

    Deployment: Standard OSA containers

Configuration (/etc/openstack_deploy/user_variables.yml): I have enabled multi-domain support and defined the LDAP domain using the keystone_ldap_domains list format.

# Multi-domain support
horizon_keystone_multidomain_support: true
keystone_domain_specific_drivers_enabled: true
keystone_domain_specific_drivers_dir: /etc/keystone/domains
keystone_domain_configurations_from_database: false

# Overrides
keystone_conf_overrides:
  identity:
    domain_specific_drivers_enabled: true
    domain_config_dir: /etc/keystone/domains
    domain_configurations_from_database: false

# LDAP Domain Definition
keystone_ldap_domains:
  - name: testbed
    conf:
      identity:
        driver: ldap
      ldap:
        url: "ldaps://ldap.example.org"
        user: "uid=bind_user,cn=users,cn=accounts,dc=example,dc=org"
        password: "****************"
        suffix: "dc=example,dc=org"
        query_scope: sub
        user_tree_dn: "cn=accounts,dc=example,dc=org"
        user_mail_attribute: mail
        user_id_attribute: uid
        user_name_attribute: uid
        user_filter: "(memberof=cn=testers,cn=groups,dc=example,dc=org)"
        user_allow_create: false
        user_allow_update: false
        user_allow_delete: false
        user_enabled_default: true
        user_enabled_mask: 2
        user_additional_attribute_mapping: "cn:description"
        tls_cacertfile: /etc/ssl/certs/ca-certificates.crt

The Issue: When I run the playbook with: openstack-ansible os-keystone-install.yml --tags "keystone-config"

Ansible skips the relevant tasks:
TASK [os_keystone : Add LDAP domains] ****************************************
skipping: [infra1-keystone-container-xxxx]

TASK [os_keystone : Create Keystone LDAP domain configs] *********************
skipping: [infra1-keystone-container-xxxx]

Troubleshooting Steps Taken:

    Variable Verification: I verified that the variable is correctly loaded by Ansible using the debug module: ansible infra1-keystone-container-xxxx -m debug -a "var=keystone_ldap_domains" The output correctly shows the list containing the testbed domain configuration structure.

    Permissions: I manually verified that the directory /etc/keystone/domains exists and has the correct permissions (keystone:keystone).

    Manual Workaround: If I manually create the /etc/keystone/domains/keystone.testbed.conf file with the content above and restart Apache, Keystone works correctly and can retrieve users from LDAP.

It seems like the logic determining whether to run the LDAP tasks is evaluating to False even though the variable is defined and populated.

Has anyone experienced this behavior or can point me to what specific condition causes the role to skip these tasks?

I also tried :
"keystone_domain_config:
  testbed: "...
without "-"
Thanks in advance for your help.

Question information

Language:
English Edit question
Status:
Solved
For:
OpenStack-Ansible Edit question
Assignee:
No assignee Edit question
Solved by:
Salvatore Aurnia
Solved:
Last query:
Last reply:
Revision history for this message
Dmitriy Rabotyagov (noonedeadpunk) said : 		#1

Hi,

Sorry for being repetative, but have you checked the documentation for LDAP configuration?
https://docs.openstack.org/openstack-ansible-os_keystone/latest/configure-keystone.html#implementing-ldap-or-active-directory-backends

As stated in the example there, the variable name should be `keystone_ldap`, not `keystone_ldap_domains`. Then, the variable is intended to contain a mapping, not a list.

Variable `keystone_ldap_domains` does not exists and is not used anywhere in the OpenStack-Ansible code from what I know.

I am also not sure where from you took keystone_domain_specific_drivers_enabled / keystone_domain_specific_drivers_dir / keystone_domain_configurations_from_database variables, as nothing like that exists in the code either.

So pretty much the only thing you needed to do, is to have `keystone_ldap` defined like this:

```
keystone_ldap:
      testbed:
        url: "ldaps://ldap.example.org"
        user: "uid=bind_user,cn=users,cn=accounts,dc=example,dc=org"
        password: "****************"
        suffix: "dc=example,dc=org"
        query_scope: sub
        user_tree_dn: "cn=accounts,dc=example,dc=org"
        user_mail_attribute: mail
        user_id_attribute: uid
        user_name_attribute: uid
        user_filter: "(memberof=cn=testers,cn=groups,dc=example,dc=org)"
        user_allow_create: false
        user_allow_update: false
        user_allow_delete: false
        user_enabled_default: true
        user_enabled_mask: 2
        user_additional_attribute_mapping: "cn:description"
        tls_cacertfile: /etc/ssl/certs/ca-certificates.crt
```

Revision history for this message
Salvatore Aurnia (salvatorea) said : 		#2

Hi,

Thank you very much for the clarification, and apologies for my confusion earlier.

You are absolutely right — I misunderstood the variable names and was mistakenly using keystone_ldap_domains instead of keystone_ldap. I also double-checked the documentation link you provided, and now the configuration is clear to me.

Thanks again for your patience and for pointing me in the right direction. Much appreciated!