Is this urgent?
No
How are you running netbox-ssot?
Docker
Which version of netbox are you using
v4.2
Which version of netbox-ssot are you running
latest
Which module has the issue?
Other
Share your configuration
netbox:
hostname: "netbox"
port: 8080
apiToken: "secret" # Musst du nach dem ersten Start im NetBox GUI erstellen
httpScheme: "http"
timeout: 30
# sourcePriority: ["openstack"] # Not required, but recommended
# Deine OpenStack-Quelle
source:
- name: "openstack-default-infra"
type: "openstack"
hostname: "https://openstack:5000/v3"
username: "sync"
password: "secret"
projectName: "infra" # oder dein spezifisches Projekt
domainName: "Default"
clusterName: "OS-infra"
clusterType: "OpenStack"
validate_cert: false
ignoreVMDisks: true
- name: "openstack-ldap-project-1"
type: "openstack"
hostname: "https://openstack:5000/v3"
username: "sync"
password: "secret"
projectName: "project-1"
domainName: "Default"
clusterName: "OS-project-1"
clusterType: "OpenStack"
validateCert: false
What is the problem?
When configuring the OpenStack source plugin, the application currently assumes or requires that the user and the target project reside within the exact same OpenStack Domain (Keystone v3).
In enterprise environments, it is a standard security practice to separate identity management from resource management. For example, the sync user might live in a central corporate identity domain (e.g., Default or User_Domain), while the target project resides within a dedicated resource domain (e.g., Project_Domain). Because netbox-ssot doesn't differentiate between user and project domains in its OpenStack client configuration, scoping/authentication fails.
Steps to reproduce
- Set up an OpenStack environment where the API user belongs to Domain-A.
- Create a target project that belongs to Domain-B.
- Grant the API user a role (e.g., reader) on the project in Domain-B.
- Configure the OpenStack source in netbox-ssot using these credentials.
- Run the synchronization and observe the scoping/auth error
What did you expect to happen?
user_domain_name (or user_domain_id)
project_domain_name (or project_domain_id)
What actually happened?
The plugin fails to authenticate or cannot find the project because it looks for the project inside the user's domain (or vice versa), resulting in a 401 Unauthorized or Project not found error.
Share DEBUG-level logs (remove sensitive information)
2026/07/02 12:57:47 main.go:109 INFO (openstack-ldap-project-a): Initializing source
2026/07/02 12:57:47 openstack.go:110 DEBUG (openstack-ldap-project-a): OpenStack AuthOptions: Endpoint=https://openstack:5000/v3, Username=sync, Project=project-1, Domain=Default
2026/07/02 12:57:47 main.go:112 ERROR (openstack-ldap-project-a): error authenticating with OpenStack (check credentials/scope): Expected HTTP response code [201 202] when accessing [POST https://openstack:5000/v3/auth/tokens], but got 401 instead: {"error":{"code":401,"message":"The request you have made requires authentication.","title":"Unauthorized"}}
2026/07/02 12:57:53 main.go:163 INFO (main): ⚠ syncing of source openstack-ldap-project-a failed with: error authenticating with OpenStack (check credentials/scope): Expected HTTP response code [201 202] when accessing [POST https://openstack:5000/v3/auth/tokens], but got 401 instead: {"error":{"code":401,"message":"The request you have made requires authentication.","title":"Unauthorized"}}
Share your environment details
Specify your OS, architecture, or Python deployment details if relevant (e.g., Ubuntu 24.04 LTS, Docker Compose v2).
Note
Configuration snippets and log outputs provided below have been anonymized for security reasons.
Is this urgent?
No
How are you running netbox-ssot?
Docker
Which version of netbox are you using
v4.2
Which version of netbox-ssot are you running
latest
Which module has the issue?
Other
Share your configuration
What is the problem?
When configuring the OpenStack source plugin, the application currently assumes or requires that the user and the target project reside within the exact same OpenStack Domain (Keystone v3).
In enterprise environments, it is a standard security practice to separate identity management from resource management. For example, the sync user might live in a central corporate identity domain (e.g., Default or User_Domain), while the target project resides within a dedicated resource domain (e.g., Project_Domain). Because netbox-ssot doesn't differentiate between user and project domains in its OpenStack client configuration, scoping/authentication fails.
Steps to reproduce
What did you expect to happen?
user_domain_name (or user_domain_id)
project_domain_name (or project_domain_id)
What actually happened?
The plugin fails to authenticate or cannot find the project because it looks for the project inside the user's domain (or vice versa), resulting in a 401 Unauthorized or Project not found error.
Share DEBUG-level logs (remove sensitive information)
Share your environment details
Specify your OS, architecture, or Python deployment details if relevant (e.g., Ubuntu 24.04 LTS, Docker Compose v2).
Note
Configuration snippets and log outputs provided below have been anonymized for security reasons.