Description of problem: The Keystone LDAP domain template that was working for our deployment in OSP11 no longer works in our OSP12 test deployments. It does not appear to generate any of the config files necessary (/etc/keystone/domains/keystone.my.domain.conf) on the host or on inside the keystone container. Inside the keystone container, I ran "grep -r 'uid=keystone.user,cn=users,cn=compat' /", and got no results. I have based my template off of https://github.com/openstack/tripleo-heat-templates/blob/master/environments/services/keystone_domain_specific_ldap_backend.yaml and this works fine on OSP11. Version-Release number of selected component (if applicable): Installed Packages Name : openstack-tripleo-heat-templates Arch : noarch Version : 7.0.3 Release : 0.20171024200823.el7ost How reproducible: Deploy a basic OpenStack using 12-beta, and include the keystone_domain_specific_ldap_backend.yaml that has been customized for your ldap domain. Actual results: After sourcing the overcloudrc.v3, the following commands work: "openstack domain list" lists "default" and "my-domain" "openstack user list --domain my-domain" lists no users Expected results: "openstack domain list" lists "default" and "my-domain" "openstack user list --domain my-domain" lists all of the users matching my ldap user_tree
We appear to be missing the keystone_domain_config tag from the docker configuration so that the domain config is never written out during the deployment. https://github.com/openstack/tripleo-heat-templates/blob/107b610923ba5d39f90c3a6a63bf2d3642e1b35d/docker/services/keystone.yaml#L94 The later step3 where we do run it is for resource configurations and not part of the configuration generation https://github.com/openstack/tripleo-heat-templates/blob/107b610923ba5d39f90c3a6a63bf2d3642e1b35d/docker/services/keystone.yaml#L195
Moving to POST as upstream review[1] has merged. [1] - https://review.openstack.org/#/c/527485/
A stable/pike backport has been proposed here: https://review.openstack.org/#/c/527758/
Upstream stable backport has merged
As expected, the config files are generated under /etc/keystone/domains. (undercloud) [stack@undercloud-0 ~]$ rpm -qi openstack-tripleo-heat-templates.noarch Name : openstack-tripleo-heat-templates Version : 7.0.3 Release : 21.el7ost Architecture: noarch Install Date: Tue 23 Jan 2018 09:33:23 AM EST [heat-admin@controller-0 ~]$ sudo ls -l /var/lib/config-data/puppet-generated/keystone/etc/keystone/domains total 4 -rw-r--r--. 1 root root 942 Jan 23 17:14 keystone.freeipadomain.conf [heat-admin@controller-0 ~]$
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0253