• End-users cannot login to Openstack dashboard using AD accounts after changing certificates on LDAPS servers
• You see LDAP error in valid-keystone.log

7.x

1. Connect to your LDAP server on secure port from VIO manager using netcat:

nc <ldap server> 636 -v -w 60

Note: By default the secure port is 636

2. Connect to your directory server with ldapsearch tool: 

Get the LDAP server certificate
echo -n | openssl s_client -connect vioad.eng.vmware.com:636 -showcerts | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/test-cert.crt

Export these variables
export LDAPTLS_REQCERT=ALLOW
export LDAPTLD_CERT=/tmp/test-cert.crt

Check if it returns results that match search criteria you specify.
ldapsearch -o nettimeout=5 -x -w ${ldap_pwd} -D ${ldap_user} -H ${url} -b ${user_tree_dn} ${user_filter}

3. Open /tmp-cert.crt file from above and find the root certificate in the list of certificates.

Note: To decode certificate you can use online SSL checker websites or openssl utility:

openssl x509 -text -noout -in ldap_1.crt  | grep -E "Subject:|Not After"

4. Update keystone CR by adding root certificate to ldap_cert section:

viocli update keystone keystone1
conf:
  keystone:
    identity:
      domain_config_dir: /etc/keystonedomains
      domain_specific_drivers_enabled: "True"
  ks_domains:
    testad2:
      identity:
        driver: ldap
      ldap:
        chase_referrals: false
...
ldap_cert:
- |-
  -----BEGIN CERTIFICATE-----
  ################################################################
  ################################################################
  #####################################################=
  -----END CERTIFICATE-----
- |-
 -----BEGIN CERTIFICATE-----
/* Insert your root certificate here */
 -----END CERTIFICATE-----

Note:  After saving file the keystone pods will be terminated and recreated.  Wait until this completes.

5. Check that  keystone works as expected with the ldap setup using Openstack CLI:

LDAP Connection Check