+++ This bug was initially created as a clone of Bug #1205772 +++ +++ This bug was initially created as a clone of Bug #1205757 +++ Description of problem: keystone::ldap has a user_enabled_invert parameter - this is needed to support using keystone with 389/ipa/rhds/idm Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: --- Additional comment from Rich Megginson on 2015-03-25 11:08:00 EDT --- I don't know if upstream is going to want to have this backported to juno since kilo is coming soon - if they do not, we will have to carry this patch ourselves . . .
I would like to get this in ASAP - OSP 6 A3
This bug is resolved by the current packages available from the Red Hat Enterprise Linux OpenStack Platform 7 repository.
According to our records, this should be resolved by openstack-packstack-2015.1-0.16.dev1589.g1d6372f.el7ost. This build is available now.
https://github.com/openstack/keystone/blob/master/etc/keystone.conf.sample#L1042 In 389 DS (IPA, IdM, etc.) user accounts are enabled by default, and you set the nsAccountLock attribute to the value of "true" to disable the account. In order to make Keystone work with this, you set the Keystone configuration user_enabled_invert = true user_enabled_attribute = nsAccountLock This tells Keystone that the user account is disabled if the user entry has the attribute nsAccountLock with a value of "true".
Very odd, on answer file I had set CONFIG_KEYSTONE_LDAP_USER_ENABLED_INVERT=y Following a packstack run, this setting on answer file returns to n. It happened three times on two separate servers. Also it's not getting set on keystone.conf file # "CONFIG_KEYSTONE_LDAP_USER_ENABLED_MASK" is in use (n, y). CONFIG_KEYSTONE_LDAP_USER_ENABLED_INVERT=n Am I missing something here?
(In reply to Tzach Shefi from comment #8) > Very odd, on answer file I had set > CONFIG_KEYSTONE_LDAP_USER_ENABLED_INVERT=y > > Following a packstack run, this setting on answer file returns to n. > It happened three times on two separate servers. What exactly did you do? Please provide your exact steps. > > Also it's not getting set on keystone.conf file > # "CONFIG_KEYSTONE_LDAP_USER_ENABLED_MASK" is in use (n, y). > CONFIG_KEYSTONE_LDAP_USER_ENABLED_INVERT=n > > Am I missing something here?
Tzach, can you provide steps?
Sorry slipped my radar, run this again just now. RHEL 7.2 openstack-packstack-puppet-2015.1-0.16.dev1589.g1d6372f.el7ost.noarch openstack-packstack-2015.1-0.16.dev1589.g1d6372f.el7ost.noarch On answer file I'd set: CONFIG_KEYSTONE_LDAP_USER_ENABLED_INVERT=y Post deployment on keystone.conf #user_enabled_invert = false I'm guessing this be true right? Post deployment on answer file value changed from "y" to "n". Why does this even happen, shouldn't answer file value remain static as "y"? I usually handle storage/vmware stuff not keystone bugs. If something is wrong or should be tested otherwise please provide steps to verify this.
i'm testing with this param enabled to reproduce, can you show me how are you running packstack
Have you set CONFIG_KEYSTONE_IDENTITY_BACKEND? if you don't set this to 'y' then CONFIG_KEYSTONE_LDAP_USER_ENABLED_INVERT will be set to 'n' since CONFIG_KEYSTONE_IDENTITY_BACKEND is a precondition to it.