Comment 8 for bug 1643301

I was able to recreate this using devstack:

keystone sha: fe20e5a9a73a2bc075af0990f285c9102c96d1b6
devstack sha: 98ab7d9646730f02983380648831aa2682abcc0c
platform: ubuntu 16.04 container

$ cat local.conf
[[local|localrc]]
ADMIN_PASSWORD=password
DATABASE_PASSWORD=password
RABBIT_PASSWORD=password
SERVICE_PASSWORD=$ADMIN_PASSWORD
LDAP_PASSWORD=password
KEYSTONE_CLEAR_LDAP=yes
KEYSTONE_IDENTITY_BACKEND=ldap
ENABLED_SERVICES=rabbit,tempest,mysql,etcd3,dstat,key,horizon,ldap
LOGFILE=$DEST/logs/stack.sh.log
LOGDAYS=2

This results in the following keystone.conf:

[identity]
password_hash_rounds = 4
driver = ldap
domain_specific_drivers_enabled = True
domain_config_dir = /etc/keystone/domains

This is the contents of my domain specific configuration:

$ cat /etc/keystone/domains/keystone.Users.conf

[identity]
driver = ldap

[ldap]
group_id_attribute = cn
group_name_attribute = cn
group_objectclass = groupOfNames
group_tree_dn = ou=Groups,dc=openstack,dc=org
password = password
suffix = dc=openstack,dc=org
url = ldap://localhost
user = cn=Manager,dc=openstack,dc=org
user_id_attribute = uid
user_mail_attribute = mail
user_name_attribute = cn
user_objectclass = inetOrgPerson
user_tree_dn = ou=Users,dc=openstack,dc=org
user_allow_create = False
user_allow_update = False
user_allow_delete = False
group_allow_create = False
group_allow_update = False
group_allow_delete = False

When running stack.sh, you get the following error:

http://paste.openstack.org/show/618224/

2017-08-11 19:20:54.435 | CRITICAL keystone [None req-94d4890f-dbdd-4542-99b7-02af075de5d0 None None] Unhandled error: Forbidden: You are not authorized to perform the requested action.
2017-08-11 19:20:54.435 | ERROR keystone Traceback (most recent call last):
2017-08-11 19:20:54.435 | ERROR keystone File "/usr/local/bin/keystone-manage", line 10, in <module>
2017-08-11 19:20:54.435 | ERROR keystone sys.exit(main())
2017-08-11 19:20:54.435 | ERROR keystone File "/opt/stack/keystone/keystone/cmd/manage.py", line 45, in main
2017-08-11 19:20:54.435 | ERROR keystone cli.main(argv=sys.argv, config_files=config_files)
2017-08-11 19:20:54.435 | ERROR keystone File "/opt/stack/keystone/keystone/cmd/cli.py", line 1339, in main
2017-08-11 19:20:54.435 | ERROR keystone CONF.command.cmd_class.main()
2017-08-11 19:20:54.435 | ERROR keystone File "/opt/stack/keystone/keystone/cmd/cli.py", line 383, in main
2017-08-11 19:20:54.435 | ERROR keystone klass.do_bootstrap()
2017-08-11 19:20:54.435 | ERROR keystone File "/opt/stack/keystone/keystone/cmd/cli.py", line 261, in do_bootstrap
2017-08-11 19:20:54.435 | ERROR keystone 'password': self.password
2017-08-11 19:20:54.435 | ERROR keystone File "/opt/stack/keystone/keystone/common/manager.py", line 110, in wrapped
2017-08-11 19:20:54.435 | ERROR keystone __ret_val = __f(*args, **kwargs)
2017-08-11 19:20:54.435 | ERROR keystone File "/opt/stack/keystone/keystone/identity/core.py", line 414, in wrapper
2017-08-11 19:20:54.435 | ERROR keystone return f(self, *args, **kwargs)
2017-08-11 19:20:54.435 | ERROR keystone File "/opt/stack/keystone/keystone/identity/core.py", line 424, in wrapper
2017-08-11 19:20:54.435 | ERROR keystone return f(self, *args, **kwargs)
2017-08-11 19:20:54.436 | ERROR keystone File "/opt/stack/keystone/keystone/identity/core.py", line 953, in create_user
2017-08-11 19:20:54.436 | ERROR keystone ref = driver.create_user(user['id'], user)
2017-08-11 19:20:54.436 | ERROR keystone File "/opt/stack/keystone/keystone/identity/backends/ldap/core.py", line 160, in create_user
2017-08-11 19:20:54.436 | ERROR keystone self._disallow_write()
2017-08-11 19:20:54.436 | ERROR keystone File "/opt/stack/keystone/keystone/identity/backends/ldap/core.py", line 157, in _disallow_write
2017-08-11 19:20:54.436 | ERROR keystone raise exception.Forbidden(READ_ONLY_LDAP_ERROR_MESSAGE)
2017-08-11 19:20:54.436 | ERROR keystone Forbidden: You are not authorized to perform the requested action.
2017-08-11 19:20:54.436 | ERROR keystone