Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1519057

Summary: OSP11->OSP12 Keystone LDAP Domain Template No Longer Works
Product: Red Hat OpenStack Reporter: Will Kline <will>
Component: openstack-tripleo-heat-templatesAssignee: Harry Rybacki <hrybacki>
Status: CLOSED ERRATA QA Contact: Prasanth Anbalagan <panbalag>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 12.0 (Pike)CC: alee, aschultz, ccollett, hrybacki, jdennis, kholden, lbopf, mburns, mlopes, nkinder, rhel-osp-director-maint, tvignaud, will
Target Milestone: z1Keywords: Triaged, ZStream
Target Release: 12.0 (Pike)   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: openstack-tripleo-heat-templates-7.0.3-19.el7ost Doc Type: Known Issue
Doc Text:
There is currently a known issue with LDAP integration for Red Hat OpenStack Platform. At present, the `keystone_domain_confg` tag is missing from `keystone.yaml`, preventing Puppet from properly applying the required configuration files. Consequently, LDAP integration with Red Hat OpenStack Platform will not be properly configured. As a workaround, you will need to manually edit `keystone.yaml` and add the missing tag. There are two ways to do this: 1. Edit the file directly: a. Log into the undercloud as the stack user. b. Open the keystone.yaml in the editor of your choice. For example: `sudo vi /usr/share/openstack-tripleo-heat-templates/docker/services/keystone.yaml` c. Append the missing puppet tag, `keystone_domain_confg`, to line 94. For example: `puppet_tags: keystone_config` Changes to: `puppet_tags: keystone_config,keystone_domain_confg` d. Save and close `keystone.yaml`. e. Verify you see the missing tag in the `keystone.yaml` file. The following command should return '1': `cat /usr/share/openstack-tripleo-heat-templates/docker/services/keystone.yaml | grep 'puppet_tags: keystone_config,keystone_domain_config' | wc -l` 2. Or, use sed to edit the file inline: a. Login to the undercloud as the stack user. b. Run the following command to add the missing puppet tag: `sed -i 's/puppet_tags\: keystone_config/puppet_tags\: keystone_config,keystone_domain_config/' /usr/share/openstack-tripleo-heat-templates/docker/services/keystone.yaml` c. Verify you see the missing tag in the keystone.yaml file The following command should return '1': `cat /usr/share/openstack-tripleo-heat-templates/docker/services/keystone.yaml | grep 'puppet_tags: keystone_config,keystone_domain_config' | wc -l`
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-01-30 21:24:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Will Kline 2017-11-30 01:45:21 UTC 
Description of problem:
The Keystone LDAP domain template that was working for our deployment in OSP11 no longer works in our OSP12 test deployments.  It does not appear to generate any of the config files necessary (/etc/keystone/domains/keystone.my.domain.conf) on the host or on inside the keystone container.  Inside the keystone container, I ran "grep -r 'uid=keystone.user,cn=users,cn=compat' /", and got no results.

I have based my template off of https://github.com/openstack/tripleo-heat-templates/blob/master/environments/services/keystone_domain_specific_ldap_backend.yaml and this works fine on OSP11.

Version-Release number of selected component (if applicable):
Installed Packages
Name        : openstack-tripleo-heat-templates
Arch        : noarch
Version     : 7.0.3
Release     : 0.20171024200823.el7ost


How reproducible:
Deploy a basic OpenStack using 12-beta, and include the keystone_domain_specific_ldap_backend.yaml that has been customized for your ldap domain. 


Actual results:

After sourcing the overcloudrc.v3, the following commands work:
"openstack domain list" lists "default" and "my-domain"
"openstack user list --domain my-domain" lists no users


Expected results:
"openstack domain list" lists "default" and "my-domain"
"openstack user list --domain my-domain" lists all of the users matching my ldap user_tree
Comment 4 Alex Schultz 2017-12-12 17:59:15 UTC 
We appear to be missing the keystone_domain_config tag from the docker configuration so that the domain config is never written out during the deployment.

https://github.com/openstack/tripleo-heat-templates/blob/107b610923ba5d39f90c3a6a63bf2d3642e1b35d/docker/services/keystone.yaml#L94


The later step3 where we do run it is for resource configurations and not part of the configuration generation

https://github.com/openstack/tripleo-heat-templates/blob/107b610923ba5d39f90c3a6a63bf2d3642e1b35d/docker/services/keystone.yaml#L195
Comment 5 Harry Rybacki 2017-12-13 16:09:33 UTC 
Moving to POST as upstream review[1] has merged.

[1] - https://review.openstack.org/#/c/527485/
Comment 6 Nathan Kinder 2017-12-13 19:07:19 UTC 
A stable/pike backport has been proposed here:

  https://review.openstack.org/#/c/527758/
Comment 7 Alex Schultz 2017-12-14 15:59:55 UTC 
Upstream stable backport has merged
Comment 10 Prasanth Anbalagan 2018-01-23 17:45:33 UTC 
As expected, the config files are generated under /etc/keystone/domains.

(undercloud) [stack@undercloud-0 ~]$ rpm -qi openstack-tripleo-heat-templates.noarch
Name        : openstack-tripleo-heat-templates
Version     : 7.0.3
Release     : 21.el7ost
Architecture: noarch
Install Date: Tue 23 Jan 2018 09:33:23 AM EST

[heat-admin@controller-0 ~]$ sudo ls -l /var/lib/config-data/puppet-generated/keystone/etc/keystone/domains
total 4
-rw-r--r--. 1 root root 942 Jan 23 17:14 keystone.freeipadomain.conf
[heat-admin@controller-0 ~]$
Comment 15 errata-xmlrpc 2018-01-30 21:24:32 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0253