Bug 1454875
| Summary: | Missing authlogin_nsswitch_use_ldap selinux boolean for LDAP integration | ||
|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | jliberma <jliberma> |
| Component: | puppet-tripleo | Assignee: | RHOS Maint <rhos-maint> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | nlevinki <nlevinki> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 11.0 (Ocata) | CC: | aschultz, jjoyce, jliberma, jschluet, nkinder, slinaber, tvignaud |
| Target Milestone: | Upstream M3 | Keywords: | Triaged |
| Target Release: | 12.0 (Pike) | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | puppet-tripleo-6.5.0-1.el7ost | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-08-17 19:32:54 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
jliberma@redhat.com
2017-05-23 16:09:24 UTC
More detail:
With selinux enabled, Keystone will not use LDAP for user authentication unless authlogin_nsswitch_use_ldap is set to true. The default is false.
This means that LDAP integration will fail, preventing the use of Keystone V3 domain support.
I tried to enable this via ExtraConfig as follows:
$ cat templates/12-auth.yaml
parameter_defaults:
ControllerExtraConfig:
tripleo::selinux::booleans:
- authlogin_nsswitch_use_ldap
After an overcloud deploy referencing the new environment file, the sebool was not set to True.
$ run-on-controllers "sudo getsebool authlogin_nsswitch_use_ldap"
lab-controller03
authlogin_nsswitch_use_ldap --> off
--------
lab-controller02
authlogin_nsswitch_use_ldap --> off
--------
lab-controller01
authlogin_nsswitch_use_ldap --> off
A better solution would be to enable this in the keystone.pp manifest:
if $ldap_backend_enable {
validate_hash($ldap_backends_config)
if ($::selinux != "false") {
selboolean { 'authlogin_nsswitch_use_ldap':
value => on,
persistent => true,
}
}
That way, if selinux is enabled, the boolean will be set automatically without user intervention.
Relevant upstream documentation:
[1] https://docs.openstack.org/developer/tripleo-docs/advanced_deployment/ssl.html#getting-the-overcloud-to-trust-cas
[2] https://docs.openstack.org/developer/tripleo-docs/advanced_deployment/domain_specific_ldap_backends.html#freeipa-as-an-ldap-backend
After this is implemented, sudo getsebool authlogin_nsswitch_use_ldap should return True, and keystone V3 domain operations should execute successfully.
Okay so this bug has been fixed and backported to Ocata, not sure how we get it into the downstream release. Thanks, Jacob Reviewed: https://review.openstack.org/469877 Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=90704a6017f7c539e3c1fed038ed247763619380 Submitter: Jenkins Branch: master commit 90704a6017f7c539e3c1fed038ed247763619380 Author: Jacob Liberman <jliberma> Date: Thu Jun 1 09:33:21 2017 -0500 ... Reviewed: https://review.openstack.org/470164 Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=7ea37eaadc8f6daf5524c20cb6dfa7ee525c966f Submitter: Jenkins Branch: stable/ocata commit 7ea37eaadc8f6daf5524c20cb6dfa7ee525c966f Author: Jacob Liberman <jliberma> Date: Thu Jun 1 09:33:21 2017 -0500 The fix for this was included in puppet-tripleo-6.5.0-1.el7ost, and puppet-tripleo-6.5.0-5.el7ost is the latest version available for OSP11 on the customer portal. Closing as CURRENTRELEASE. |