valid-keystone.log
Jul 28 15:43:12 vioad.eng.vmware.com valid-keystone[539]: vioad.eng.vmware.com to ldaps://vioad.eng.vmware.com:636.\n15:43:11.472 [main] WARN com.vmware.openstack.validation.IdentityProviderValidator - Unable to fetch AD root certificates. Deployment will use server certificates as trust list.\njavax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-0310020E, problem 2001 (NO_OBJECT)
7.x
nc <ldap server> 636 -v -w 60
Note: By default the secure port is 636
Get the LDAP server certificateecho -n | openssl s_client -connect vioad.eng.vmware.com:636 -showcerts | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/test-cert.crt
Export these variablesexport LDAPTLS_REQCERT=ALLOW
export LDAPTLD_CERT=/tmp/test-cert.crt
Check if it returns results that match search criteria you specify.ldapsearch -o nettimeout=5 -x -w ${ldap_pwd} -D ${ldap_user} -H ${url} -b ${user_tree_dn} ${user_filter}
/tmp-cert.crt
file from above and find the root certificate in the list of certificates.Note: To decode certificate you can use online SSL checker websites or openssl utility:openssl x509 -text -noout -in ldap_1.crt | grep -E "Subject:|Not After"
viocli update keystone keystone1
conf:
keystone:
identity:
domain_config_dir: /etc/keystonedomains
domain_specific_drivers_enabled: "True"
ks_domains:
testad2:
identity:
driver: ldap
ldap:
chase_referrals: false
...
ldap_cert:
- |-
-----BEGIN CERTIFICATE-----
################################################################
################################################################
#####################################################
=
-----END CERTIFICATE-----
- |-
-----BEGIN CERTIFICATE-----
/* Insert your root certificate here */
-----END CERTIFICATE-----
Note: After saving file the keystone pods will be terminated and recreated. Wait until this completes.
openstack user list --domain <ldap_keystone_domain>