I was able to recreate this using devstack: keystone sha: fe20e5a9a73a2bc075af0990f285c9102c96d1b6 devstack sha: 98ab7d9646730f02983380648831aa2682abcc0c platform: ubuntu 16.04 container $ cat local.conf [[local|localrc]] ADMIN_PASSWORD=password DATABASE_PASSWORD=password RABBIT_PASSWORD=password SERVICE_PASSWORD=$ADMIN_PASSWORD LDAP_PASSWORD=password KEYSTONE_CLEAR_LDAP=yes KEYSTONE_IDENTITY_BACKEND=ldap ENABLED_SERVICES=rabbit,tempest,mysql,etcd3,dstat,key,horizon,ldap LOGFILE=$DEST/logs/stack.sh.log LOGDAYS=2 This results in the following keystone.conf: [identity] password_hash_rounds = 4 driver = ldap domain_specific_drivers_enabled = True domain_config_dir = /etc/keystone/domains This is the contents of my domain specific configuration: $ cat /etc/keystone/domains/keystone.Users.conf [identity] driver = ldap [ldap] group_id_attribute = cn group_name_attribute = cn group_objectclass = groupOfNames group_tree_dn = ou=Groups,dc=openstack,dc=org password = password suffix = dc=openstack,dc=org url = ldap://localhost user = cn=Manager,dc=openstack,dc=org user_id_attribute = uid user_mail_attribute = mail user_name_attribute = cn user_objectclass = inetOrgPerson user_tree_dn = ou=Users,dc=openstack,dc=org user_allow_create = False user_allow_update = False user_allow_delete = False group_allow_create = False group_allow_update = False group_allow_delete = False When running stack.sh, you get the following error: http://paste.openstack.org/show/618224/ 2017-08-11 19:20:54.435 | CRITICAL keystone [None req-94d4890f-dbdd-4542-99b7-02af075de5d0 None None] Unhandled error: Forbidden: You are not authorized to perform the requested action. 2017-08-11 19:20:54.435 | ERROR keystone Traceback (most recent call last): 2017-08-11 19:20:54.435 | ERROR keystone File "/usr/local/bin/keystone-manage", line 10, in 2017-08-11 19:20:54.435 | ERROR keystone sys.exit(main()) 2017-08-11 19:20:54.435 | ERROR keystone File "/opt/stack/keystone/keystone/cmd/manage.py", line 45, in main 2017-08-11 19:20:54.435 | ERROR keystone cli.main(argv=sys.argv, config_files=config_files) 2017-08-11 19:20:54.435 | ERROR keystone File "/opt/stack/keystone/keystone/cmd/cli.py", line 1339, in main 2017-08-11 19:20:54.435 | ERROR keystone CONF.command.cmd_class.main() 2017-08-11 19:20:54.435 | ERROR keystone File "/opt/stack/keystone/keystone/cmd/cli.py", line 383, in main 2017-08-11 19:20:54.435 | ERROR keystone klass.do_bootstrap() 2017-08-11 19:20:54.435 | ERROR keystone File "/opt/stack/keystone/keystone/cmd/cli.py", line 261, in do_bootstrap 2017-08-11 19:20:54.435 | ERROR keystone 'password': self.password 2017-08-11 19:20:54.435 | ERROR keystone File "/opt/stack/keystone/keystone/common/manager.py", line 110, in wrapped 2017-08-11 19:20:54.435 | ERROR keystone __ret_val = __f(*args, **kwargs) 2017-08-11 19:20:54.435 | ERROR keystone File "/opt/stack/keystone/keystone/identity/core.py", line 414, in wrapper 2017-08-11 19:20:54.435 | ERROR keystone return f(self, *args, **kwargs) 2017-08-11 19:20:54.435 | ERROR keystone File "/opt/stack/keystone/keystone/identity/core.py", line 424, in wrapper 2017-08-11 19:20:54.435 | ERROR keystone return f(self, *args, **kwargs) 2017-08-11 19:20:54.436 | ERROR keystone File "/opt/stack/keystone/keystone/identity/core.py", line 953, in create_user 2017-08-11 19:20:54.436 | ERROR keystone ref = driver.create_user(user['id'], user) 2017-08-11 19:20:54.436 | ERROR keystone File "/opt/stack/keystone/keystone/identity/backends/ldap/core.py", line 160, in create_user 2017-08-11 19:20:54.436 | ERROR keystone self._disallow_write() 2017-08-11 19:20:54.436 | ERROR keystone File "/opt/stack/keystone/keystone/identity/backends/ldap/core.py", line 157, in _disallow_write 2017-08-11 19:20:54.436 | ERROR keystone raise exception.Forbidden(READ_ONLY_LDAP_ERROR_MESSAGE) 2017-08-11 19:20:54.436 | ERROR keystone Forbidden: You are not authorized to perform the requested action. 2017-08-11 19:20:54.436 | ERROR keystone