OpenStack Keystone Authentication Using LDAP

Keystone is a OpenStack project that implements OpenStack’s identity API and provides authentication and authorization services to identify users of the OpenStack cloud. It also provides a catalog of all other deployed OpenStack services such as Nova, Neutron, Cinder and Glance. These services trust Keystone to create and manage user identities and credentials. For some enterprise deployments, Keystone may pass on the authentication task to an external service, such as LDAP or Microsoft Active Directory (AD).  This article shows the basics of Keystone authentication using LDAP.

Keystone’s main purpose is authorization within an OpenStack deployment. It achieves this by issuing authorization tokens to authenticated users. The OpenStack identity service offers two mechanisms out of the box for authentication:

  • Username password-based authentication – The identity service stores user credentials in the SQL database. Upon successful user credential validation, an access token is issued that must be embedded inside each subsequent request. By default, tokens expire after 24 hours, but this duration is configurable. This method is simple and works out of the box. However, it requires end users to create separate login credentials and does not lend itself to a federated model for authentication and authorization.
  • LDAP-based authentication – OpenStack Keystone can be configured to integrate with LDAP as a source authority for authentication. Requests to the identity service are delegated to the LDAP service, which will authorize or deny requests. A token is generated on successful authentication. This method integrates seamlessly with existing authentication system at most enterprises. With this approach, existing users can access resources and execute APIs in a OpenStack cloud, without having to provision a new identity.

How to Integrate a LDAP Backend in Keystone

The first step is to configure Keystone to load the LDAP identity driver that can forward authentication requests to an LDAP server, and get back a principal name, tenant and roles. To do that, the values in the [ldap] section of the file etc/keystone/keystone.conf are modified.

  • Enable the LDAP driver in the keystone.conf file, specified as

[code lang=”bash”][identity] driver = keystone.identity.backends.ldap.Identity[/code]

  • Define the destination LDAP server in the keystone.conf file:

[code lang=”bash”][ldap] url = ldap://
user = dc=Manager,dc=pf9,dc=com
password = nonobviouspassword
suffix = dc=pf9,dc=com
use_dumb_member = False
allow_subtree_delete = False[/code]

  • The LDAP directory will have to be updated with the required organizational units (OU). These are subsequently specified in the keystone.conf file:

[code lang=”bash”][ldap] user_tree_dn = ou=Users,dc=pf9,dc=com
user_objectclass = inetOrgPerson
tenant_tree_dn = ou=Groups,dc=pf9,dc=com
tenant_objectclass = groupOfNames
role_tree_dn = ou=Roles,dc=pf9,dc=com
role_objectclass = organizationalRole[/code]

  • As a best practice, Keystone should have read-only access with the LDAP integration:

[code lang=”bash”][ldap] user_allow_create = False
user_allow_update = False
user_allow_delete = False
tenant_allow_create = False
tenant_allow_update = False
tenant_allow_delete = False
role_allow_create = False
role_allow_update = False
role_allow_delete = False[/code]

  • To restrict the scope of data returned by LDAP, set filters as desired:

[code lang=”bash”][ldap] user_filter = (memberof=cn=devops-users,ou=workgroups,dc=pf9,dc=com)
tenant_filter =
role_filter =[/code]

The Keystone service needs to be restarted for the changes to become effective.


Keystone provides identity services, primarily authorization, for all OpenStack projects. It supports LDAP backend for authentication, in addition to the default SQL backend. This is fairly straightforward to setup and works easily with the existing LDAP or AD services in enterprises.

See these blogs to configure Keystone with other popular Directory Services and SSO:
Keystone Authentication using ADFS
Keystone Authentication using AD
Configure Keystone Single Sign-on
Keystone Federation Setup

Note: LDAP integration with Keystone is currently not supported in Platform9 Managed OpenStack.


You may also enjoy

Kubernetes FinOps: Right-sizing Kubernetes workloads

By Joe Thompson

OpenStack Ironic: Enabling Bare Metal as a Service

By Platform9

The browser you are using is outdated. For the best experience please download or update your browser to one of the following:

State of Kubernetes FinOps Survey – Win 13 prizes including a MacBook Air.Start Now