ldap-config-flags won't be reflected on config-changed

Bug #1712972 reported by Nobuto Murata on 2017-08-25
This bug affects 3 people
Affects Status Importance Assigned to Milestone
OpenStack Keystone LDAP integration
Edward Hope-Morley

Bug Description

How to reproduce:

$ juju deploy cs:~openstack-charmers-next/keystone
Located charm "cs:~openstack-charmers-next/keystone-306".
Deploying charm "cs:~openstack-charmers-next/keystone-306".

$ juju deploy cs:~openstack-charmers-next/keystone-ldap
Located charm "cs:~openstack-charmers-next/keystone-ldap-14".
Deploying charm "cs:~openstack-charmers-next/keystone-ldap-14".

$ juju config keystone-ldap \
    domain-name=mydomain.example.com \
    ldap-server=ldap://localhost/ \
    ldap-user='cn=admin,dc=mydomain,dc=test,dc=com' \
    ldap-password=secret \
    ldap-suffix='dc=mydomain,dc=example,dc=com' \
    ldap-config-flags='{query_scope: sub, user_objectclass: person}'

$ juju add-relation keystone keystone-ldap

$ juju run --unit keystone/0 'cat /etc/keystone/domains/keystone.mydomain.example.com.conf'
url = ldap://localhost/
user = cn=admin,dc=mydomain,dc=test,dc=com
password = secret
suffix = dc=mydomain,dc=example,dc=com

user_allow_create = False
user_allow_update = False
user_allow_delete = False

group_allow_create = False
group_allow_update = False
group_allow_delete = False

# User supplied configuration flags
query_scope = sub
user_objectclass = person
driver = ldap

ldap-config-flags has been reflected at the deployment, however, I cannot add page_size=10 by the following command. config-changed flag was run, but no "page_size" in /etc/keystone/domains/keystone.mydomain.example.com.conf.

$ juju config ldap-config-flags='{query_scope: sub, user_objectclass: person, page_size: 10}'

Nobuto Murata (nobuto) wrote :

Immutable domain-name should be fine, but tweaking ldap-config-flags may be necessary after a deployment.

James Page (james-page) wrote :

Confirmed - the state modelling is a bit foobar in that it won't update the file past first config.

Changed in charm-keystone-ldap:
status: New → Confirmed
importance: Undecided → Medium
milestone: none → 17.11
status: Confirmed → Triaged
Nobuto Murata (nobuto) on 2017-09-28
tags: added: cpe-onsite
Frode Nordahl (fnordahl) on 2017-09-29
tags: added: sts

Probably obvious from the description, a workaround is to redeploy keystone-ldap. In brief, based on work done in a customer's environment:

1) remove the relation between keystone and keystone-ldap
2) remove keystone-ldap [note that in Juju >= 2.2, this should happen automatically when the relation is removed, thereby making this second step a no-op]
3) redeploy keystone-ldap, configure it as desired, and then, as a final step, relate it to keystone

James Page (james-page) on 2017-12-01
Changed in charm-keystone-ldap:
milestone: 17.11 → 18.02
Changed in charm-keystone-ldap:
assignee: nobody → Edward Hope-Morley (hopem)

Fix proposed to branch: master
Review: https://review.openstack.org/530971

Changed in charm-keystone-ldap:
status: Triaged → In Progress

Reviewed: https://review.openstack.org/530971
Committed: https://git.openstack.org/cgit/openstack/charm-keystone-ldap/commit/?id=47bb457447ba5bb39226038b8f219eb8d79f50c6
Submitter: Zuul
Branch: master

commit 47bb457447ba5bb39226038b8f219eb8d79f50c6
Author: Edward Hope-Morley <email address hidden>
Date: Wed Jan 3 17:05:53 2018 +0000

    Ensure config changes are applied

    Currently any config changes post-deployment are
    ignored once the domain name is set. This patch
    ensures that any changes are registered and applied.

    Change-Id: Id37db3c74d3712bc96c3f8ed6a04c907e4d18bc5
    Closes-Bug: #1712972

Changed in charm-keystone-ldap:
status: In Progress → Fix Committed
Dmitrii Shcherbakov (dmitriis) wrote :

Although there is a checksum check in render_config that prevents keystone restart trigger from working I'd rather avoid handler invocation on every event, see https://bugs.launchpad.net/charm-keystone-ldap/+bug/1741661

Ryan Beisner (1chb1n) on 2018-03-09
Changed in charm-keystone-ldap:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers