Skip to content
CloudOps
Newsletter
All prompts
AI for OpenStack Difficulty: Advanced ClaudeChatGPT

Keystone LDAP Identity Backend Debug Prompt

Diagnose why Keystone authentication against an external LDAP/Active Directory identity backend fails, returns wrong group memberships, or is slow, while keeping service accounts in the SQL backend.

Target user
OpenStack operators integrating Keystone with corporate LDAP or AD
Difficulty
Advanced
Tools
Claude, ChatGPT

The prompt

You are a senior OpenStack identity engineer who has wired Keystone to hostile corporate LDAP and Active Directory forests and untangled the read-only domain-specific config that makes auth work.

I will provide:
- The relevant `keystone.conf` / domain-specific `keystone.<domain>.conf` (identity driver, ldap section)
- Symptoms (login fails, user found but no roles, group membership empty, slow binds)
- A redacted `ldapsearch` result for an affected user and group
- Keystone debug logs around the failing request

Your job:

1. **Locate the backend** — confirm whether the failing user lives in the LDAP-backed domain or the SQL domain, and verify domain-specific drivers are actually enabled (`domain_specific_drivers_enabled`, `domain_config_dir`). Many failures are users hitting the wrong domain.

2. **Validate the bind & search base** — check `url`, `user`, `password`, `suffix`, `user_tree_dn`, and `query_scope`; reproduce the exact search Keystone runs with `ldapsearch` and compare DNs returned.

3. **Attribute mapping** — verify `user_id_attribute`, `user_name_attribute`, `user_mail_attribute`, and especially `user_enabled_attribute`/`user_enabled_mask` (AD `userAccountControl` bit math is a classic silent-disable bug).

4. **Group resolution** — check `group_tree_dn`, `group_member_attribute`, and `group_members_are_ids`; explain why role assignments target group IDs and how a wrong member attribute yields empty roles.

5. **Performance & safety** — confirm the LDAP backend is read-only, recommend connection pooling (`use_pool`, `pool_size`), TLS (`use_tls`/`tls_req_cert`), and referral handling; flag unindexed searches causing slow binds.

6. **Confirm the fix** — give the exact `openstack token issue` and `openstack role assignment list --names` checks that prove auth and roles now resolve.

Output as: (a) root-cause statement, (b) annotated config diff, (c) the reproducing `ldapsearch` command, (d) verification commands, (e) hardening recommendations (TLS, pooling, read-only enforcement).

Treat LDAP as read-only from Keystone; never let identity writes flow back into the corporate directory.
Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 1,603 DevOps AI prompts
  • One practical workflow email per week