How to configure, bootstrap Openstack keystone with ldap as identity backend without return authentication fail?

Question

I am using ldap as keystone identity backend, but it does not work as I expected. I always get authentication fail http 401 response.

I followed these docs to configure my keystone and ldap:

I refer this doc to configure keystone: https://docs.openstack.org/keystone/latest/admin/identity-integrate-with-ldap.html

I refer this doc to configure ldap: https://wiki.openstack.org/wiki/OpenLDAP

my openstack ldif file is like this(it seems no admin user here, I add all of these in to my ldap):

dn: dc=openstack,dc=org
dc: openstack
objectClass: dcObject
objectClass: organizationalUnit
ou: openstack

dn: ou=Groups,dc=openstack,dc=org
objectClass: top
objectClass: organizationalUnit
ou: groups

dn: ou=Users,dc=openstack,dc=org
objectClass: top
objectClass: organizationalUnit
ou: users

dn: ou=Roles,dc=openstack,dc=org
objectClass: top
objectClass: organizationalUnit
ou: roles  

my openstack keystone.conf [ldap] is:

url = ldap://localhost
user = cn=admin,dc=openstack,dc=org
password = password
suffix = dc=openstack,dc=org

my ldap slap.conf is:

 database        bdb
 suffix          "dc=openstack,dc=org"
 rootdn          "cn=admin,dc=openstack,dc=org"
 rootpw  password

when I type command (the --os-password nomoresecret is default devstack configuration password, I use it initially. The devstack install keystone, it use mysql as all keystone services backend by default):

openstack --os-username admin --os-password nomoresecret --os-domain-name default --os-auth-url http://127.0.0.1:5000/ token issue

it returns:

The request you have made requires authentication. (HTTP 401) (Request-ID: req-bbd485e6-b689-4bf3-b8f8-7d55f994e79f)

when I type this command (the --os-password password is ldap rootpw password. )

openstack --os-username admin --os-password password --os-domain-name default --os-auth-url http://127.0.0.1:5000/ token issue

it returns:

The request you have made requires authentication. (HTTP 401) (Request-ID: req-87bd8a1e-901e-4077-8461-095e3b7ee44e)

I can not find a specific walk-through guide about "bootstrap keystone with identity ldap guide (the doc of install and configuration keystone is more about use mysql)".

I refer this: Ldap connection with Openstack could not find user : admin, but it seems has not solve the problem yet.

Anyone can help me awith the basic right configuration of keystone.conf and ldap .ldif files, and how to bootstrap keystone with ldap as identity backend

I want to configure keystone with ldap manually first (although my openstack is installed by devstack, its version is from master branch by default. In fact, I use devstack to install keystone with ldap once, it failed with authentication fail).

Anyone can help, thank you in advance.