domain ldap tls_cacertfile "forgotten" in multidomain configuration
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Triaged
|
Low
|
Unassigned | ||
Mitaka |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
Environment:
Centos 7 using the OpenStack Mitaka release
RPMS from:
http://
openstack-
—————
I have a multidomain configuration with multiple AD backends in keystone.
For one of the AD configurations I've configured a custom tls_cacertfile as follows:
«
[identity]
driver = ldap
[assignment]
driver = ldap
[ldap]
url = ldap://
use_tls = true
…
»
For the other:
«
[identity]
driver = ldap
[assignment]
driver = ldap
[ldap]
url = ldap://
query_scope = sub
use_tls = true
tls_cacertfile = /etc/keystone/
…
»
What I've observed is when logging in to domain2 I will get very inconsistent behaviour:
* sometimes fails: "Unable to retrieve authorized projects."
* sometimes fails: "An error occurred authenticating. Please try again later."
* sometimes fails: "Unable to authenticate to any available projects."
* sometimes fails: "Invalid credentials."
* sometimes succeeds
Example traceback from keystone log:
«
2016-11-25 09:54:06.699 27879 INFO keystone.
2016-11-25 09:54:07.147 27879 ERROR keystone.
2016-11-25 09:54:07.147 27879 ERROR keystone.
…
2016-11-25 09:54:07.147 27879 ERROR keystone.
2016-11-25 09:54:07.147 27879 ERROR keystone.
2016-11-25 09:54:07.147 27879 ERROR keystone.
»
I've also tried putting a merged tls_cacertfile containing the system default ca roots and the domain2-specific ca root. That felt like it improved but did not fix the problem.
The workaround is putting the merged cacertfile into BOTH domain configurations, which should not be necessary. After doing so I haven't had any trouble.
Add attachment or patch