diff --git a/.gitignore b/.gitignore
index 6079b40f..ffd1d8f8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -62,6 +62,7 @@ releasenotes/build
 
 # Test temp files
 tests/plugins
+tests/playbooks
 tests/common
 tests/*.retry
 
diff --git a/tasks/keystone_ldap_setup.yml b/tasks/keystone_ldap_setup.yml
index b38271e6..91e7ffa5 100644
--- a/tasks/keystone_ldap_setup.yml
+++ b/tasks/keystone_ldap_setup.yml
@@ -30,9 +30,9 @@
   template:
     src: keystone.domain.conf.j2
     dest: "{{ keystone_ldap_domain_config_dir }}/keystone.{{ item.key }}.conf"
-    owner: "{{ keystone_system_user_name }}"
+    owner: "root"
     group: "{{ keystone_system_group_name }}"
-    mode: "0644"
+    mode: "0640"
   with_dict: "{{ keystone_ldap }}"
   notify:
     - Restart Keystone APIs on first node
diff --git a/tasks/keystone_post_install.yml b/tasks/keystone_post_install.yml
index 7e4b722b..e9349bca 100644
--- a/tasks/keystone_post_install.yml
+++ b/tasks/keystone_post_install.yml
@@ -17,9 +17,9 @@
   config_template:
     src: "{{ item.src }}"
     dest: "{{ item.dest }}"
-    owner: "{{ keystone_system_user_name }}"
+    owner: "root"
     group: "{{ keystone_system_group_name }}"
-    mode: "0644"
+    mode: "0640"
     config_overrides: "{{ item.config_overrides }}"
     config_type: "{{ item.config_type }}"
   with_items:
diff --git a/tasks/keystone_pre_install.yml b/tasks/keystone_pre_install.yml
index fbc668bf..8a8a85c4 100644
--- a/tasks/keystone_pre_install.yml
+++ b/tasks/keystone_pre_install.yml
@@ -58,7 +58,7 @@
   with_items:
     - { path: "/openstack", mode: "0755", owner: "root", group: "root" }
     - { path: "/etc/keystone", mode: "0750" }
-    - { path: "{{ keystone_ldap_domain_config_dir }}" }
+    - { path: "{{ keystone_ldap_domain_config_dir }}", mode: "0750" }
     - { path: "/etc/keystone/ssl" }
     - { path: "{{ keystone_fernet_tokens_key_repository }}", mode: "2750"}
     - { path: "{{ keystone_system_user_home }}" }