Hide Forgot
Description of problem: In Step 2.9.5b located here: https://access.redhat.com/documentation/en/red-hat-enterprise-linux-openstack-platform/version-7/integrate-with-identity-service/#configure_the_controller_2 There is a line missing from the [ldap] section which points to the CA certificate. Without this line, the command listed in step 2.9.9 will fail with: ERROR: openstack An unexpected error prevented the server from fulfilling your request. (HTTP 500) (Request-ID: req-f1da70c9-ee51-4983-984e-e07729df3fd9) The logs show the message: Peer's certificate issuer has been marked as not trusted by the user. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: Just follow through the documented integration with IdM as is. Actual results: ERROR: openstack An unexpected error prevented the server from fulfilling your request. (HTTP 500) (Request-ID: req-f1da70c9-ee51-4983-984e-e07729df3fd9) The logs show the message: Peer's certificate issuer has been marked as not trusted by the user. Expected results: Commands return list of users in the LAB domain. Additional info: The fix is to update the documentation in 2.9.5b to include the tls_cacertfile line as part of the Domain File: [ldap] url = ldaps://idm.lab.local user = uid=svc-ldap,cn=users,cn=accounts,dc=lab,dc=local user_filter = (memberOf=cn=grp-openstack,cn=groups,cn=accounts,dc=lab,dc=local) password = RedactedComplexPassword user_tree_dn = cn=users,cn=accounts,dc=lab,dc=local user_objectclass = inetUser user_id_attribute = uid user_name_attribute = uid user_mail_attribute = mail user_pass_attribute = user_allow_create = False user_allow_update = False user_allow_delete = False tls_cacertfile = /etc/ssl/certs/ca.crt [identity] driver = keystone.identity.backends.ldap.Identity
Also updated relevant article: https://access.redhat.com/articles/1406213
OSP7 guide has been updated: https://access.redhat.com/documentation/en/red-hat-enterprise-linux-openstack-platform/version-7/integrate-with-identity-service/#configure_identity_service_2
Assigning Radek as the QA contact. Radek - could you take a look at the changes for this bug?
Looks good.
This content is now live on the Customer Portal. Closing.