Description of problem: With selinux enabled, authlogin_nsswitch_use_ldap must be on. The current keystone.pp does not include logic to enable this. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
More detail: With selinux enabled, Keystone will not use LDAP for user authentication unless authlogin_nsswitch_use_ldap is set to true. The default is false. This means that LDAP integration will fail, preventing the use of Keystone V3 domain support. I tried to enable this via ExtraConfig as follows: $ cat templates/12-auth.yaml parameter_defaults: ControllerExtraConfig: tripleo::selinux::booleans: - authlogin_nsswitch_use_ldap After an overcloud deploy referencing the new environment file, the sebool was not set to True. $ run-on-controllers "sudo getsebool authlogin_nsswitch_use_ldap" lab-controller03 authlogin_nsswitch_use_ldap --> off -------- lab-controller02 authlogin_nsswitch_use_ldap --> off -------- lab-controller01 authlogin_nsswitch_use_ldap --> off A better solution would be to enable this in the keystone.pp manifest: if $ldap_backend_enable { validate_hash($ldap_backends_config) if ($::selinux != "false") { selboolean { 'authlogin_nsswitch_use_ldap': value => on, persistent => true, } } That way, if selinux is enabled, the boolean will be set automatically without user intervention. Relevant upstream documentation: [1] https://docs.openstack.org/developer/tripleo-docs/advanced_deployment/ssl.html#getting-the-overcloud-to-trust-cas [2] https://docs.openstack.org/developer/tripleo-docs/advanced_deployment/domain_specific_ldap_backends.html#freeipa-as-an-ldap-backend After this is implemented, sudo getsebool authlogin_nsswitch_use_ldap should return True, and keystone V3 domain operations should execute successfully.
Okay so this bug has been fixed and backported to Ocata, not sure how we get it into the downstream release. Thanks, Jacob Reviewed: https://review.openstack.org/469877 Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=90704a6017f7c539e3c1fed038ed247763619380 Submitter: Jenkins Branch: master commit 90704a6017f7c539e3c1fed038ed247763619380 Author: Jacob Liberman <jliberma> Date: Thu Jun 1 09:33:21 2017 -0500 ... Reviewed: https://review.openstack.org/470164 Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=7ea37eaadc8f6daf5524c20cb6dfa7ee525c966f Submitter: Jenkins Branch: stable/ocata commit 7ea37eaadc8f6daf5524c20cb6dfa7ee525c966f Author: Jacob Liberman <jliberma> Date: Thu Jun 1 09:33:21 2017 -0500
The fix for this was included in puppet-tripleo-6.5.0-1.el7ost, and puppet-tripleo-6.5.0-5.el7ost is the latest version available for OSP11 on the customer portal. Closing as CURRENTRELEASE.