Today, I noticed that my keystone service is not running in default packstack installation.
[root@allinone ~(keystone_admin)]# openstack-status service | grep -i keystone
== Keystone service ==
openstack-keystone: inactive (disabled on boot)
I started searching about it, and found that keystone is moved the Apache HTTPD.
Most important reason which I found is, with simple keystone if you are integrating it with LDAP, you are still sending the UN-encrypted passwords over the wire.
But if you are running keystone inside Apache HTTPD you can take the benefits of all the authentication options of apache while integrating it with LDAP.
Below is the configuration setting in answer.txt file which decide whether you want to run keystone under apache or not. By default it’s apache you can change it to keystone if you want to do that.
# Name of service to use to run the Identity service (keystone,
With running it under apache all the authentication is happening at the apache level and keystone is only responsible for authorization which is the real task for which keystone is designed.