tripleo

keystone.pp missing selinux boolean authlogin_nsswitch_use_ldap

Bug #1695002 reported by plieb on 2017-06-01

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Fix Released	High	plieb	tripleo pike-2 "pike-2"

Bug Description

On selinux enabled systems, domain creation will fail unless authlogin_nsswitch_use_ldap is set to true in keystone.pp.

To reproduce:
1. Deploy an LDAP server
2. Create a domain
3. Create a domain-specific LDAP backend template per https://docs.openstack.org/developer/tripleo-docs/advanced_deployment/domain_specific_ldap_backends.html
4. Deploy the overcloud with selinux enabled
5. test domain access via keystone v3

Tags:

plieb (jliberma) on 2017-06-01

Changed in tripleo:
assignee:	nobody → plieb (jliberma)

Juan Antonio Osorio Robles (juan-osorio-robles) on 2017-06-01

Changed in tripleo:
importance:	Undecided → Critical
status:	New → Confirmed
milestone:	none → pike-2

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-06-01: Fix proposed to puppet-tripleo (master)

Fix proposed to branch: master
Review: https://review.openstack.org/469877

Changed in tripleo:
status:	Confirmed → In Progress

Emilien Macchi (emilienm) on 2017-06-01

Changed in tripleo:
importance:	Critical → High

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-06-02: Fix merged to puppet-tripleo (master)

Reviewed: https://review.openstack.org/469877
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=90704a6017f7c539e3c1fed038ed247763619380
Submitter: Jenkins
Branch: master

commit 90704a6017f7c539e3c1fed038ed247763619380
Author: Jacob Liberman <email address hidden>
Date: Thu Jun 1 09:33:21 2017 -0500

Add conditional for setting authlogin_nsswitch_use_ldap selboolean

    If selinux is enabled the authlogin_nsswitch_use_ldap Boolean must
    be enabled. This setting allows LDAP communications to the confined
    LDAP/server port. This change includes a conditional for enabling this
    Boolean only when selinux is in use.

Change-Id: If985f2434d28fcd33198929bf61f2a3a82e601fe
Closes-Bug: #1695002

Changed in tripleo:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-06-02: Fix proposed to puppet-tripleo (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/470164

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-06-02: Fix merged to puppet-tripleo (stable/ocata)

Reviewed: https://review.openstack.org/470164
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=7ea37eaadc8f6daf5524c20cb6dfa7ee525c966f
Submitter: Jenkins
Branch: stable/ocata

commit 7ea37eaadc8f6daf5524c20cb6dfa7ee525c966f
Author: Jacob Liberman <email address hidden>
Date: Thu Jun 1 09:33:21 2017 -0500

Add conditional for setting authlogin_nsswitch_use_ldap selboolean

    Change-Id: If985f2434d28fcd33198929bf61f2a3a82e601fe
    Closes-Bug: #1695002
    (cherry picked from commit 90704a6017f7c539e3c1fed038ed247763619380)