Hello,
with all previous versions, to authenticate users from an Active Directory domain, using an LDAP connector worked without any problem on my labs, with or without using TLS.

With TLS the file used is the following: 
/etc/kolla/config/keystone/domains/keystone.DOM1.conf

[identity]
driver = ldap
[ldap]
url = ldap://172.16.60.41
user = CN=ldapconnect,OU=openstack,DC=dom1,DC=loc
password = XXXXXXXXXX
suffix = DC=dom1,DC=loc
user_tree_dn = OU=openstack,DC=dom1,DC=loc
user_objectclass = person
user_filter  =   (|(memberOf=CN=openstack-users,OU=openstack,DC=dom1,DC=loc)(memberOf=CN=openstack-admins,OU=openstack,DC=dom1,DC=loc))
user_id_attribute = sAMAccountName
user_name_attribute = sAMAccountName
user_mail_attribute = mail
user_pass_attribute =
user_enabled_attribute = userAccountControl
user_enabled_mask = 2
user_enabled_default = 512
user_attribute_ignore  = password,tenant_id,tenants
group_objectclass  =  group
group_tree_dn  =  OU=openstack,DC=dom1,DC=loc
group_filter  = (|(CN=openstack-users)(CN=openstack-admins))
group_id_attribute   =  cn
group_name_attribute  =  name
query_scope  =  sub
chase_referrals  =  false
use_tls   = True
tls_certificate = /etc/kolla/certificates/adserv.crt
tls_req_cert = never


I want to see if it works with Dalmatian (to update my lab, which I can't do with the Bobcat and Caracal versions because bugs block me).

Without TLS (use_tls = False) , no problem, it works, my AD users can use Horizon and have access to their project.

If I put
"use_tls = True"
and
tls_certificate = /etc/kolla/certificates/adserv.crt
....

It doesn't work with Dalmatian, certificate problem. Indeed, the certificate is not copied into the keystone container, so it can't use it.
In the keystone logs (/var/kolla/keystone/keystone.log) there is an error message:

2025-01-15 08:36:04.477 1084 ERROR keystone.server.flask.request_processing.middleware.auth_context OSError: tls_cacertfile /etc/kolla/certificates/adserv.crt not found or is not a file

However, my adserv.crt file has not changed, is valid, and is in /etc/kolla/certificates directory.
What could have changed with the Dalmatian version? I tried to change parameters, but I can't find the solution. How should I proceed to make it work with TLS.
I specify again that it works without TLS so the problem is really to use this certificate correctly, so to put it in the right place with the right parameter: tls_certificate or a new one?

My lab use ubuntu 2204.

Thanks a lot for your help


Franck VEDEL