Bug 1205781
| Summary: | support the ldap user_enabled_invert parameter | ||
|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Rich Megginson <rmeggins> |
| Component: | openstack-packstack | Assignee: | Ivan Chavero <ichavero> |
| Status: | CLOSED INSUFFICIENT_DATA | QA Contact: | Tzach Shefi <tshefi> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.0 (Juno) | CC: | aortega, derekh, ichavero, mburns, mmagr, nbarcet, nkinder, nlevinki, srevivo, tshefi |
| Target Milestone: | --- | Keywords: | FutureFeature, Triaged, ZStream |
| Target Release: | 7.0 (Kilo) | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | openstack-packstack-2015.1-0.11.dev1589.g1d6372f.el7ost | Doc Type: | Enhancement |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 1205772 | Environment: | |
| Last Closed: | 2016-11-07 22:59:44 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1205757, 1205768, 1205772 | ||
| Bug Blocks: | 1172310 | ||
|
Description
Rich Megginson
2015-03-25 15:25:40 UTC
I would like to get this in ASAP - OSP 6 A3 This bug is resolved by the current packages available from the Red Hat Enterprise Linux OpenStack Platform 7 repository. According to our records, this should be resolved by openstack-packstack-2015.1-0.16.dev1589.g1d6372f.el7ost. This build is available now. https://github.com/openstack/keystone/blob/master/etc/keystone.conf.sample#L1042 In 389 DS (IPA, IdM, etc.) user accounts are enabled by default, and you set the nsAccountLock attribute to the value of "true" to disable the account. In order to make Keystone work with this, you set the Keystone configuration user_enabled_invert = true user_enabled_attribute = nsAccountLock This tells Keystone that the user account is disabled if the user entry has the attribute nsAccountLock with a value of "true". Very odd, on answer file I had set CONFIG_KEYSTONE_LDAP_USER_ENABLED_INVERT=y Following a packstack run, this setting on answer file returns to n. It happened three times on two separate servers. Also it's not getting set on keystone.conf file # "CONFIG_KEYSTONE_LDAP_USER_ENABLED_MASK" is in use (n, y). CONFIG_KEYSTONE_LDAP_USER_ENABLED_INVERT=n Am I missing something here? (In reply to Tzach Shefi from comment #8) > Very odd, on answer file I had set > CONFIG_KEYSTONE_LDAP_USER_ENABLED_INVERT=y > > Following a packstack run, this setting on answer file returns to n. > It happened three times on two separate servers. What exactly did you do? Please provide your exact steps. > > Also it's not getting set on keystone.conf file > # "CONFIG_KEYSTONE_LDAP_USER_ENABLED_MASK" is in use (n, y). > CONFIG_KEYSTONE_LDAP_USER_ENABLED_INVERT=n > > Am I missing something here? Tzach, can you provide steps? Sorry slipped my radar, run this again just now. RHEL 7.2 openstack-packstack-puppet-2015.1-0.16.dev1589.g1d6372f.el7ost.noarch openstack-packstack-2015.1-0.16.dev1589.g1d6372f.el7ost.noarch On answer file I'd set: CONFIG_KEYSTONE_LDAP_USER_ENABLED_INVERT=y Post deployment on keystone.conf #user_enabled_invert = false I'm guessing this be true right? Post deployment on answer file value changed from "y" to "n". Why does this even happen, shouldn't answer file value remain static as "y"? I usually handle storage/vmware stuff not keystone bugs. If something is wrong or should be tested otherwise please provide steps to verify this. i'm testing with this param enabled to reproduce, can you show me how are you running packstack Have you set CONFIG_KEYSTONE_IDENTITY_BACKEND? if you don't set this to 'y' then CONFIG_KEYSTONE_LDAP_USER_ENABLED_INVERT will be set to 'n' since CONFIG_KEYSTONE_IDENTITY_BACKEND is a precondition to it. |