Skip to main content

Overview

This guide covers platform-level Identity issues that require administrator access — token validation failures across services, LDAP and federation authentication problems, service catalog misconfigurations, and system-scope permission errors.
Administrator Access Required — This operation requires the admin role. Contact your Xloud administrator if you do not have sufficient permissions.
For end-user authentication issues (wrong password, expired token, missing role), see the Identity User Troubleshooting guide.

Token Validation Failures

Token validation failures across services

Cause: Fernet keys are out of sync between Identity API nodes, or the token has expired.Diagnose: Verify key synchronization across all nodes. All nodes must have identical key files in the fernet-keys directory:
Check key file count and timestamps on all nodes
ls -la /var/lib/kolla/config_files/fernet-keys/
Compare timestamps across nodes. If keys are inconsistent, force a rotation:
Force key rotation via xavs-ansible
xavs-ansible deploy --tags keystone-fernet-rotate
Resolution: After rotation, verify validation works:
Issue and validate a token
TOKEN=$(openstack token issue -f value -c id)
openstack token show $TOKEN
Token validates successfully on all Identity API nodes.
Cause: The Identity API is unreachable, or all Identity API nodes are down.Diagnose:
Check Identity API container status
docker ps --filter name=keystone
Test Identity API directly
curl -s https://api.<your-domain>:5000/v3 | python3 -m json.tool
Resolution: Restart the Identity service via XDeploy if containers are stopped:
Restart Identity containers
xavs-ansible deploy --tags keystone

LDAP Authentication Issues

Cause: LDAP connection failure, incorrect bind credentials, or user not in the configured user_tree_dn.Diagnose: Test the LDAP connection from the Identity API node:
Test LDAP connectivity
ldapsearch -x -H ldap://ldap.example.com \
  -D "cn=xloud-svc,dc=example,dc=com" \
  -w "$LDAP_PASSWORD" \
  -b "ou=Users,dc=example,dc=com" \
  "(sAMAccountName=alice)"
Confirm the user exists in the expected OU and the bind account has read access.Check Identity API logs:
View Identity API logs for LDAP errors
docker logs keystone --tail 100 | grep -i ldap
Cause: The user_tree_dn does not match the OU where users are located, or the user_id_attribute is set incorrectly for your directory schema.Resolution: Verify the LDAP configuration matches your directory schema:
Check keystone LDAP configuration
docker exec keystone grep -A 30 "\[ldap\]" /etc/keystone/keystone.conf
Update the configuration via XDeploy globals and redeploy if attributes are incorrect.

Service Catalog Issues

Cause: An endpoint was registered with an incorrect URL or interface type.Diagnose:
List endpoints for a service
openstack endpoint list --service compute
Identify the incorrect endpoint by its ID and update the URL:
Update endpoint URL
openstack endpoint set \
  --url https://correct-url:8774/v2.1 \
  <ENDPOINT_ID>
Cause: The default endpoint interface is public but the CLI is resolving to internal due to environment variable override.Diagnose:
Check current endpoint interface setting
echo $OS_ENDPOINT_TYPE
echo $OS_INTERFACE
Resolution: Unset the override or set it explicitly to public:
Set interface to public
export OS_INTERFACE=public
openstack catalog list

Federation Issues

Cause: IdP attributes do not match the mapping rules, or the remote-id does not match the IdP’s entity ID.Diagnose: Check the Identity API logs for mapping evaluation errors:
View federation errors in Identity logs
docker logs keystone --tail 200 | grep -i "federation\|mapping\|saml"
Resolution: Verify the mapping rules match the attributes your IdP sends. Use the mapping walkthrough API to test rules:
Test mapping rules
openstack mapping validate \
  --rules mapping-rules.json \
  --properties @test-assertion.json \
  corporate-mapping

Permission and Scope Errors

Cause: The user has the admin role in the project but not at the system or domain scope required for administrative operations.Resolution: Grant system-scope admin access:
Grant system admin role
openstack role add \
  --user alice \
  --system all \
  admin
System-scope admin grants full control over all domains and projects. Reserve this assignment for platform administrators only.

Next Steps

Token Configuration

Configure Fernet key rotation to prevent token validation failures.

Authentication Backends

Review LDAP and federation backend configuration options.

Service Catalog

Manage and correct endpoint registrations in the service catalog.

Security Hardening

Apply security best practices to prevent future authentication issues.