[openstack-ansible] Keystone federation with OpenID needs shibboleth
Jonathan Rosser
jonathan.rosser at rd.bbc.co.uk
Wed May 5 15:56:37 UTC 2021
Hi Jean-Francois,
I have a similar deployment of Victoria on Ubuntu 18.04 using OIDC .
On Ubuntu 18.04 libapache2-mod-auth-openidc and libapache2-mod-shib2
can't be co-installed as they require conflicting versions of libcurl -
see the workaround here
https://github.com/openstack/openstack-ansible-os_keystone/blob/master/vars/debian.yml#L58-L61
For Ubuntu 20.04 these packages are co-installable so whenever keystone
is configured to be a SP both are installed, as here
https://github.com/openstack/openstack-ansible-os_keystone/blob/master/vars/ubuntu-20.04.yml#L58-L60
A starting point would be checking what you've got
keystone_sp.apache_mod set to in your config, as this drives how the
apache config is constructed, here
https://github.com/openstack/openstack-ansible-os_keystone/blob/master/tasks/main.yml#L51-L68
In particular, if keystone_sp.apache_mod is undefined in your config,
the defaults assume mod_shib is required.
You can also join us in the IRC channel #openstack-ansible we can debug
further.
Regards
Jonathan.
On 05/05/2021 16:26, Taltavull Jean-Francois wrote:
> Hi All,
>
> I'm trying to make keystone federation with openid connect work on an Ubuntu 20.04 + Victoria cloud deployed with OSA.
>
> Despite the fact that I use openid, shibboleth seems to be involved and I had to add "ShibCompatValidUser On" directive to the file "/etc/apache2/conf-available/shib.conf", by hand in the keystone lxc container, in order to successfully authenticate ("valid user: granted" an not "valid user: denied" in apache log file).
>
> Has anyone already experienced this use case ?
>
> Thanks and best regards,
> Jean-Francois
>
>
>
>
More information about the openstack-discuss
mailing list