diff --git a/attributes/default.rb b/attributes/default.rb
index 4842dbe..b358352 100644
--- a/attributes/default.rb
+++ b/attributes/default.rb
@@ -38,9 +38,12 @@ default['openstack']['identity']['debug'] = 'False'
 default['openstack']['identity']['service_port'] = '5000'
 default['openstack']['identity']['admin_port'] = '35357'
 default['openstack']['identity']['region'] = 'RegionOne'
-default['openstack']['identity']['bind_interface'] = 'lo'
 default['openstack']['identity']['token']['expiration'] = '86400'
 
+# If set, the keystone service will bind to the address on this interface,
+# otherwise it will bind to the API endpoint's host.
+default['openstack']['identity']['bind_interface'] = nil
+
 # Logging stuff
 default['openstack']['identity']['syslog']['use'] = false
 default['openstack']['identity']['syslog']['facility'] = 'LOG_LOCAL2'
diff --git a/recipes/server.rb b/recipes/server.rb
index 1f3f8bc..f200cff 100644
--- a/recipes/server.rb
+++ b/recipes/server.rb
@@ -111,7 +111,11 @@ sql_connection = db_uri('identity', db_user, db_pass)
 
 bootstrap_token = secret 'secrets', 'openstack_identity_bootstrap_token'
 
-ip_address = address_for node['openstack']['identity']['bind_interface']
+if node['openstack']['identity']['bind_interface'].nil?
+  bind_address = identity_endpoint.host
+else
+  bind_address = address_for node['openstack']['identity']['bind_interface']
+end
 
 # If the search role is set, we search for memcache
 # servers via a Chef search. If not, we look at the
@@ -143,7 +147,7 @@ template '/etc/keystone/keystone.conf' do
   mode   00644
   variables(
     sql_connection: sql_connection,
-    ip_address: ip_address,
+    bind_address: bind_address,
     bootstrap_token: bootstrap_token,
     memcache_servers: memcache_servers,
     uris: uris,
diff --git a/spec/server_spec.rb b/spec/server_spec.rb
index fe397f7..c03f66b 100644
--- a/spec/server_spec.rb
+++ b/spec/server_spec.rb
@@ -179,9 +179,25 @@ describe 'openstack-identity::server' do
           expect(chef_run).to render_file(path).with_content(r)
         end
 
-        it 'has bind host' do
-          r = line_regexp('bind_host = 127.0.1.1')
-          expect(chef_run).to render_file(path).with_content(r)
+        describe 'bind_interface is nil' do
+          it 'has bind host from endpoint' do
+            r = line_regexp('bind_host = 127.0.1.1')
+            expect(chef_run).to render_file(path).with_content(r)
+          end
+        end
+
+        describe 'bind_interface is eth0' do
+          before do
+            node.set['openstack']['identity']['bind_interface'] = 'eth0'
+            ::Chef::Recipe.any_instance.stub(:address_for)
+              .with('eth0')
+              .and_return('10.0.0.2')
+          end
+
+          it 'has bind host from interface ip' do
+            r = line_regexp('bind_host = 10.0.0.2')
+            expect(chef_run).to render_file(path).with_content(r)
+          end
         end
 
         describe 'port numbers' do
diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
index 1093ecb..8066b06 100644
--- a/spec/spec_helper.rb
+++ b/spec/spec_helper.rb
@@ -35,9 +35,6 @@ end
 
 shared_context 'identity_stubs' do
   before do
-    ::Chef::Recipe.any_instance.stub(:address_for)
-      .with('lo')
-      .and_return('127.0.1.1')
     ::Chef::Recipe.any_instance.stub(:memcached_servers).and_return []
     ::Chef::Recipe.any_instance.stub(:get_password)
       .with('db', anything)
diff --git a/templates/default/keystone.conf.erb b/templates/default/keystone.conf.erb
index 1ea377a..2e03816 100644
--- a/templates/default/keystone.conf.erb
+++ b/templates/default/keystone.conf.erb
@@ -4,7 +4,7 @@
 public_port = <%= node["openstack"]["identity"]["service_port"] %>
 admin_port = <%= node["openstack"]["identity"]["admin_port"] %>
 admin_token = <%= @bootstrap_token %>
-bind_host = <%= @ip_address %>
+bind_host = <%= @bind_address %>
 compute_port = 8774
 verbose = <%= node["openstack"]["identity"]["verbose"] %>
 debug = <%= node["openstack"]["identity"]["debug"] %>