[openstack-ansible] Keystone federation with OpenID needs shibboleth

Taltavull Jean-Francois jean-francois.taltavull at elca.ch
Thu May 6 08:17:03 UTC 2021 

I forgot to mention: in Ubuntu 20.04, the apache shibboleth module is named "shib" and not "sib2". So, I had to supersede the variable
" keystone_apache_modules". If you don't do this, os-keystone playbook fails with " "Failed to set module shib2 to disabled:\n\nMaybe the module identifier (mod_shib) was guessed incorrectly.Consider setting the \"identifier\" option.", "rc": 1, "stderr": "ERROR: Module shib2 does not exist!\n"".

So, apache modules enabled are:
- shib
- auth_openidc
- proxy_uwsgi
- headers

> -----Original Message-----
> From: Jonathan Rosser <jonathan.rosser at rd.bbc.co.uk>
> Sent: mercredi, 5 mai 2021 19:19
> To: openstack-discuss at lists.openstack.org
> Subject: Re: [openstack-ansible] Keystone federation with OpenID needs
> shibboleth
> 
> Could you check which apache modules are enabled?
> 
> The set is defined in the code here
> https://github.com/openstack/openstack-ansible-
> os_keystone/blob/master/vars/ubuntu-20.04.yml#L85-L95
> 
> On 05/05/2021 17:41, Taltavull Jean-Francois wrote:
> > I've got keystone_sp.apache_mod = mod_auth_openidc
> >
> >
> >> -----Original Message-----
> >> From: Jonathan Rosser <jonathan.rosser at rd.bbc.co.uk>
> >> Sent: mercredi, 5 mai 2021 17:57
> >> To: openstack-discuss at lists.openstack.org
> >> Subject: Re: [openstack-ansible] Keystone federation with OpenID
> >> needs shibboleth
> >>
> >> Hi Jean-Francois,
> >>
> >> I have a similar deployment of Victoria on Ubuntu 18.04 using OIDC .
> >>
> >> On Ubuntu 18.04 libapache2-mod-auth-openidc and libapache2-mod-shib2
> >> can't be co-installed as they require conflicting versions of libcurl
> >> - see the workaround here
> >> https://github.com/openstack/openstack-ansible-
> >> os_keystone/blob/master/vars/debian.yml#L58-L61
> >>
> >> For Ubuntu 20.04 these packages are co-installable so whenever
> >> keystone is configured to be a SP both are installed, as here
> >> https://github.com/openstack/openstack-ansible-
> >> os_keystone/blob/master/vars/ubuntu-20.04.yml#L58-L60
> >>
> >> A starting point would be checking what you've got
> >> keystone_sp.apache_mod set to in your config, as this drives how the
> >> apache config is constructed, here
> >> https://github.com/openstack/openstack-ansible-
> >> os_keystone/blob/master/tasks/main.yml#L51-L68
> >>
> >> In particular, if keystone_sp.apache_mod is undefined in your config,
> >> the defaults assume mod_shib is required.
> >>
> >> You can also join us in the IRC channel #openstack-ansible we can debug
> further.
> >>
> >> Regards
> >> Jonathan.

More information about the openstack-discuss mailing list