Keystone ldap only configures domain on one node
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack-Ansible |
Fix Released
|
High
|
Jesse Pretorius |
Bug Description
When using 3 nodes under the group "identity_hosts", and setting LDAP configuration for keystone, only one of them receives a valid ldap configuration file.
Snippet of openstack_
----
identity_hosts:
infra1:
ip: 192.168.0.1
infra2:
ip: 192.168.0.2
infra3:
ip: 192.168.0.3
----
Snippet of user_variables.yml
----
keystone_ldap:
my_domain_name:
url: "ldap:/
#*other parameters not here for brevity*
horizon_
----
Playbook execution ends successfully, and we can log in the given domain, but we detected that when listing users, some of them were missing.
Random "authentication failed" for users under the LDAP domain were also failing, and we suspected that this was due to a misconfiguration in one of the 3 keystone APIs.
Apparently, only 1 of the 3 keystone APIS has a domain configured for the LDAP domain, so when authentications for the given LDAP domain reached any of the keystone API containers that did not have this domain applied, they were throwing errors.
The solution was to copy the /etc/keystone/
on infra1, to the lxc containers on infra2 and infra3.
This was tested with branch *stable/queens*, on a 3 node configuration with HA for the identity service, using LXC containers on all components.
This is a regression introduced by this commit
https:/ /github. com/openstack/ openstack- ansible- os_keystone/ commit/ 096ed19665dad45 fe9b1c1790ba599 d90ccf233c
Jesse: I assigned this to you, if you have time to dig in, if not feel free to un-assign. We probably just need to move then "when:" to inside the include rather than the entire include.