[openstack-ansible] Keystone federation with OpenID needs shibboleth
Hi All,
I'm trying to make keystone federation with openid connect work on an Ubuntu 20.04 + Victoria cloud deployed with OSA.
Despite the fact that I use openid, shibboleth seems to be involved and I had to add "ShibCompatValidUser On" directive to the file "/etc/apache2/conf-available/shib.conf", by hand in the keystone lxc container, in order to successfully authenticate ("valid user: granted" an not "valid user: denied" in apache log file).
Has anyone already experienced this use case ?
Thanks and best regards, Jean-Francois
Hi Jean-Francois,
I have a similar deployment of Victoria on Ubuntu 18.04 using OIDC .
On Ubuntu 18.04 libapache2-mod-auth-openidc and libapache2-mod-shib2 can't be co-installed as they require conflicting versions of libcurl - see the workaround here https://github.com/openstack/openstack-ansible-os_keystone/blob/master/vars/...
For Ubuntu 20.04 these packages are co-installable so whenever keystone is configured to be a SP both are installed, as here https://github.com/openstack/openstack-ansible-os_keystone/blob/master/vars/...
A starting point would be checking what you've got keystone_sp.apache_mod set to in your config, as this drives how the apache config is constructed, here https://github.com/openstack/openstack-ansible-os_keystone/blob/master/tasks...
In particular, if keystone_sp.apache_mod is undefined in your config, the defaults assume mod_shib is required.
You can also join us in the IRC channel #openstack-ansible we can debug further.
Regards Jonathan.
On 05/05/2021 16:26, Taltavull Jean-Francois wrote:
Hi All,
I'm trying to make keystone federation with openid connect work on an Ubuntu 20.04 + Victoria cloud deployed with OSA.
Despite the fact that I use openid, shibboleth seems to be involved and I had to add "ShibCompatValidUser On" directive to the file "/etc/apache2/conf-available/shib.conf", by hand in the keystone lxc container, in order to successfully authenticate ("valid user: granted" an not "valid user: denied" in apache log file).
Has anyone already experienced this use case ?
Thanks and best regards, Jean-Francois
I've got keystone_sp.apache_mod = mod_auth_openidc
-----Original Message----- From: Jonathan Rosser jonathan.rosser@rd.bbc.co.uk Sent: mercredi, 5 mai 2021 17:57 To: openstack-discuss@lists.openstack.org Subject: Re: [openstack-ansible] Keystone federation with OpenID needs shibboleth
Hi Jean-Francois,
I have a similar deployment of Victoria on Ubuntu 18.04 using OIDC .
On Ubuntu 18.04 libapache2-mod-auth-openidc and libapache2-mod-shib2 can't be co-installed as they require conflicting versions of libcurl - see the workaround here https://github.com/openstack/openstack-ansible- os_keystone/blob/master/vars/debian.yml#L58-L61
For Ubuntu 20.04 these packages are co-installable so whenever keystone is configured to be a SP both are installed, as here https://github.com/openstack/openstack-ansible- os_keystone/blob/master/vars/ubuntu-20.04.yml#L58-L60
A starting point would be checking what you've got keystone_sp.apache_mod set to in your config, as this drives how the apache config is constructed, here https://github.com/openstack/openstack-ansible- os_keystone/blob/master/tasks/main.yml#L51-L68
In particular, if keystone_sp.apache_mod is undefined in your config, the defaults assume mod_shib is required.
You can also join us in the IRC channel #openstack-ansible we can debug further.
Regards Jonathan.
On 05/05/2021 16:26, Taltavull Jean-Francois wrote:
Hi All,
I'm trying to make keystone federation with openid connect work on an
Ubuntu 20.04 + Victoria cloud deployed with OSA.
Despite the fact that I use openid, shibboleth seems to be involved and I had to
add "ShibCompatValidUser On" directive to the file "/etc/apache2/conf- available/shib.conf", by hand in the keystone lxc container, in order to successfully authenticate ("valid user: granted" an not "valid user: denied" in apache log file).
Has anyone already experienced this use case ?
Thanks and best regards, Jean-Francois
Could you check which apache modules are enabled?
The set is defined in the code here https://github.com/openstack/openstack-ansible-os_keystone/blob/master/vars/...
On 05/05/2021 17:41, Taltavull Jean-Francois wrote:
I've got keystone_sp.apache_mod = mod_auth_openidc
-----Original Message----- From: Jonathan Rosser jonathan.rosser@rd.bbc.co.uk Sent: mercredi, 5 mai 2021 17:57 To: openstack-discuss@lists.openstack.org Subject: Re: [openstack-ansible] Keystone federation with OpenID needs shibboleth
Hi Jean-Francois,
I have a similar deployment of Victoria on Ubuntu 18.04 using OIDC .
On Ubuntu 18.04 libapache2-mod-auth-openidc and libapache2-mod-shib2 can't be co-installed as they require conflicting versions of libcurl - see the workaround here https://github.com/openstack/openstack-ansible- os_keystone/blob/master/vars/debian.yml#L58-L61
For Ubuntu 20.04 these packages are co-installable so whenever keystone is configured to be a SP both are installed, as here https://github.com/openstack/openstack-ansible- os_keystone/blob/master/vars/ubuntu-20.04.yml#L58-L60
A starting point would be checking what you've got keystone_sp.apache_mod set to in your config, as this drives how the apache config is constructed, here https://github.com/openstack/openstack-ansible- os_keystone/blob/master/tasks/main.yml#L51-L68
In particular, if keystone_sp.apache_mod is undefined in your config, the defaults assume mod_shib is required.
You can also join us in the IRC channel #openstack-ansible we can debug further.
Regards Jonathan.
I forgot to mention: in Ubuntu 20.04, the apache shibboleth module is named "shib" and not "sib2". So, I had to supersede the variable " keystone_apache_modules". If you don't do this, os-keystone playbook fails with " "Failed to set module shib2 to disabled:\n\nMaybe the module identifier (mod_shib) was guessed incorrectly.Consider setting the "identifier" option.", "rc": 1, "stderr": "ERROR: Module shib2 does not exist!\n"".
So, apache modules enabled are: - shib - auth_openidc - proxy_uwsgi - headers
-----Original Message----- From: Jonathan Rosser jonathan.rosser@rd.bbc.co.uk Sent: mercredi, 5 mai 2021 19:19 To: openstack-discuss@lists.openstack.org Subject: Re: [openstack-ansible] Keystone federation with OpenID needs shibboleth
Could you check which apache modules are enabled?
The set is defined in the code here https://github.com/openstack/openstack-ansible- os_keystone/blob/master/vars/ubuntu-20.04.yml#L85-L95
On 05/05/2021 17:41, Taltavull Jean-Francois wrote:
I've got keystone_sp.apache_mod = mod_auth_openidc
-----Original Message----- From: Jonathan Rosser jonathan.rosser@rd.bbc.co.uk Sent: mercredi, 5 mai 2021 17:57 To: openstack-discuss@lists.openstack.org Subject: Re: [openstack-ansible] Keystone federation with OpenID needs shibboleth
Hi Jean-Francois,
I have a similar deployment of Victoria on Ubuntu 18.04 using OIDC .
On Ubuntu 18.04 libapache2-mod-auth-openidc and libapache2-mod-shib2 can't be co-installed as they require conflicting versions of libcurl
- see the workaround here
https://github.com/openstack/openstack-ansible- os_keystone/blob/master/vars/debian.yml#L58-L61
For Ubuntu 20.04 these packages are co-installable so whenever keystone is configured to be a SP both are installed, as here https://github.com/openstack/openstack-ansible- os_keystone/blob/master/vars/ubuntu-20.04.yml#L58-L60
A starting point would be checking what you've got keystone_sp.apache_mod set to in your config, as this drives how the apache config is constructed, here https://github.com/openstack/openstack-ansible- os_keystone/blob/master/tasks/main.yml#L51-L68
In particular, if keystone_sp.apache_mod is undefined in your config, the defaults assume mod_shib is required.
You can also join us in the IRC channel #openstack-ansible we can debug
further.
Regards Jonathan.
I've made a patch to correct this module name which it would be great if you could test and leave a comment if it's OK
https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/79001... https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/790018
Are you able to debug any further why the shib module is being enabled, maybe through using -vv on the openstack-ansible command to show the task parameters, or adding some debug tasks in os_keystone to show the values of keystone_sp_apache_mod_shib and keystone_sp_apache_mod_auth_openidc?
On 06/05/2021 09:17, Taltavull Jean-Francois wrote:
I forgot to mention: in Ubuntu 20.04, the apache shibboleth module is named "shib" and not "sib2". So, I had to supersede the variable " keystone_apache_modules". If you don't do this, os-keystone playbook fails with " "Failed to set module shib2 to disabled:\n\nMaybe the module identifier (mod_shib) was guessed incorrectly.Consider setting the "identifier" option.", "rc": 1, "stderr": "ERROR: Module shib2 does not exist!\n"".
So, apache modules enabled are:
- shib
- auth_openidc
- proxy_uwsgi
- headers
-----Original Message----- From: Jonathan Rosser jonathan.rosser@rd.bbc.co.uk Sent: mercredi, 5 mai 2021 19:19 To: openstack-discuss@lists.openstack.org Subject: Re: [openstack-ansible] Keystone federation with OpenID needs shibboleth
Could you check which apache modules are enabled?
The set is defined in the code here https://github.com/openstack/openstack-ansible- os_keystone/blob/master/vars/ubuntu-20.04.yml#L85-L95
On 05/05/2021 17:41, Taltavull Jean-Francois wrote:
I've got keystone_sp.apache_mod = mod_auth_openidc
Your patch is ok, that’s what I did by superseding the variable “keystone_apache_modules”.
Ansible -vvv trace shows that the task parameters are correct, but the apache shib module remains enabled. Anyway, authentication still fails and I get “valid-user: denied” in apache logs because of a weird interference with libapache2-mod-shib package.
For now, the workaround I’ve found is not to install the libapache2-mod-shib package: “openstack-ansible os-keystone-install.yml --extra-vars '{"keystone_sp_distro_packages":["libapache2-mod-auth-openidc"]}'”
And everything works fine (if you don’t need shibboleth), keystone deployment and openid auth. But this is just a workaround.
From: Jonathan Rosser jonathan.rosser@rd.bbc.co.uk Sent: jeudi, 6 mai 2021 11:21 To: openstack-discuss@lists.openstack.org Subject: Re: [openstack-ansible] Keystone federation with OpenID needs shibboleth
I've made a patch to correct this module name which it would be great if you could test and leave a comment if it's OK
https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/79001...
Are you able to debug any further why the shib module is being enabled, maybe through using -vv on the openstack-ansible command to show the task parameters, or adding some debug tasks in os_keystone to show the values of keystone_sp_apache_mod_shib and keystone_sp_apache_mod_auth_openidc? On 06/05/2021 09:17, Taltavull Jean-Francois wrote:
I forgot to mention: in Ubuntu 20.04, the apache shibboleth module is named "shib" and not "sib2". So, I had to supersede the variable
" keystone_apache_modules". If you don't do this, os-keystone playbook fails with " "Failed to set module shib2 to disabled:\n\nMaybe the module identifier (mod_shib) was guessed incorrectly.Consider setting the "identifier" option.", "rc": 1, "stderr": "ERROR: Module shib2 does not exist!\n"".
So, apache modules enabled are:
- shib
- auth_openidc
- proxy_uwsgi
- headers
-----Original Message-----
From: Jonathan Rosser jonathan.rosser@rd.bbc.co.ukmailto:jonathan.rosser@rd.bbc.co.uk
Sent: mercredi, 5 mai 2021 19:19
To: openstack-discuss@lists.openstack.orgmailto:openstack-discuss@lists.openstack.org
Subject: Re: [openstack-ansible] Keystone federation with OpenID needs
shibboleth
Could you check which apache modules are enabled?
The set is defined in the code here
https://github.com/openstack/openstack-ansible-
os_keystone/blob/master/vars/ubuntu-20.04.yml#L85-L95
On 05/05/2021 17:41, Taltavull Jean-Francois wrote:
I've got keystone_sp.apache_mod = mod_auth_openidc
participants (2)
-
Jonathan Rosser
-
Taltavull Jean-Francois