Part of your VMware Integrated OpenStack deployment configuration includes setting up authentication. You can also modify this configuration post-installation.

VMware Integrated OpenStack supports SQL plus one or more domains as an identity source, up to a maximum of 10 domains.


Verify that the new LDAP settings are valid.


  1. In the vSphere Web Client, select Home > VMware Integrated OpenStack > Manage.
  2. Click the Settings tab.
  3. Click Configure Identity Source.

    The panel displays the current configuration.

  4. If you are using LDAP with your VMware Integrated OpenStack deployment, click the plus sign (+) to configure the LDAP source.

    The Add Identity Source dialog appears.



    Active Directory domain name

    Specify the full Active Directory domain name; for example,

    Keystone domain name

    A Keystone domain defines the administrative boundaries for management of Keystone entities. A domain can represent an individual, company, or operator owned space. Avoid setting the domain name to: Default .

    Bind user

    Provide the user name to bind to Active Directory for LDAP requests.

    Bind password

    Provide the password to allow the LDAP client access to the LDAP server.

    Domain controllers

    (Optional) VMware Integrated OpenStack automatically chooses the existing Active Directory domain controllers. However, you can specify a list of specific domain controllers to use. To do this, select the Domain controllers radio button and then enter the IP address of one or more domain controllers, separated by commas.


    (Optional) Optionally, you can limit LDAP searching to a specific deployment site within your organization; for example, Select the Site radio button and enter the domain name of the site to search.

    User Tree DN

    (Optional) Enter the search base for users; for example, DC=vmware, DC=com. Defaults to the top of the user tree in most Active Directory deployments.

    User Filter

    (Optional) Enter an LDAP search filter for users. Check the AD domain setting to filter out users of the same name as the service users in OpenStack such as nova or cinder.


    If your directory contains more than 1,000 objects (users and groups), you must apply a filter to ensure that fewer than 1,000 objects are returned. For examples of filters, see

    Group tree DN

    (Optional) Enter the search base to use for groups. Defaults to the '[ldap]suffix' value. For example, group_tree-dn={{ldap_group_tree_dn}}

    Group filter

    (Optional) Enter an LDAP search filter to use for groups. For example, group_filter = {{ ldap_group_filter | default('') }}

    LDAP admin user

    (Optional) Enter the LDAP admin user if the Keystone Identity provider is configured to work with OpenLDAP.

    Advanced settings

    If you want to specify advanced LDAP settings, check the Advanced settings check box.

    If you check the Advanced settings check box, additional LDAP configuration fields appear.


    Always contact the LDAP administrator to obtain correct values for advanced LDAP settings, or use tools such as ldapsearch or Apache Directory Studio to locate the settings.




    From the pull-down menu, choose None, SSL, or StartTLS


    Enter the hostname for the LDAP server.


    Enter the port number to user on the LDAP server.

    User objectclass

    (Optional) Enter the LDAP object class for users.

    User ID attribute

    (Optional) Enter the LDAP attribute mapped to the user ID. Note that this value cannot be a multi-valued attribute.

    User name attribute

    (Optional) Enter the LDAP attribute mapped to the user name.

    User mail attribute

    (Optional) Enter the LDAP attribute mapped to the user email.

    User password attribute

    (Optional) Enter the LDAP attribute mapped to the password.

    Group objectclass

    (Optional) Enter an LDAP object class for groups.

    Group ID attribute

    (Optional) Enter the LDAP attribute mapped to the group ID.

    Group name attribute

    (Optional) Enter the LDAP attribute mapped to the group name.

    Group member attribute

    (Optional) Enter the LDAP attribute mapped to the group member name.

    Group description attribute

    (Optional) Enter the LDAP attribute mapped to the group description.

    Figure 1. Add identity source dialog
    Figure 2. Advanced LDAP settings
  5. Click the Validate button to validate authentication, that the admin user exists, and that users are available in the user tree DN + filter search.

    Validation verifies the settings provided so that Keystone is likely to start later.

  6. The Users and Group tables list users that are found. Use the information in these tables to verify your user and group search.
  7. Click Save.