Description of problem:

In Step 2.9.5b located here:

https://access.redhat.com/documentation/en/red-hat-enterprise-linux-openstack-platform/version-7/integrate-with-identity-service/#configure_the_controller_2

There is a line missing from the [ldap] section which points to the CA certificate.  Without this line, the command listed in step 2.9.9 will fail with:

ERROR: openstack An unexpected error prevented the server from fulfilling your request. (HTTP 500) (Request-ID: req-f1da70c9-ee51-4983-984e-e07729df3fd9)

The logs show the message: 

Peer's certificate issuer has been marked as not trusted by the user.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:

Just follow through the documented integration with IdM as is.

Actual results:

ERROR: openstack An unexpected error prevented the server from fulfilling your request. (HTTP 500) (Request-ID: req-f1da70c9-ee51-4983-984e-e07729df3fd9)

The logs show the message: 

Peer's certificate issuer has been marked as not trusted by the user.


Expected results:

Commands return list of users in the LAB domain.


Additional info:

The fix is to update the documentation in 2.9.5b to include the tls_cacertfile line as part of the Domain File:

[ldap]
url =  ldaps://idm.lab.local
user = uid=svc-ldap,cn=users,cn=accounts,dc=lab,dc=local
user_filter = (memberOf=cn=grp-openstack,cn=groups,cn=accounts,dc=lab,dc=local)
password = RedactedComplexPassword
user_tree_dn = cn=users,cn=accounts,dc=lab,dc=local
user_objectclass = inetUser
user_id_attribute = uid
user_name_attribute = uid
user_mail_attribute = mail
user_pass_attribute =
user_allow_create = False
user_allow_update = False
user_allow_delete = False
tls_cacertfile = /etc/ssl/certs/ca.crt


[identity]
driver = keystone.identity.backends.ldap.Identity