[openstack-ansible] Keystone federation with OpenID needs shibboleth

Jonathan Rosser jonathan.rosser at rd.bbc.co.uk
Wed May 5 17:19:26 UTC 2021


Could you check which apache modules are enabled?

The set is defined in the code here 
https://github.com/openstack/openstack-ansible-os_keystone/blob/master/vars/ubuntu-20.04.yml#L85-L95

On 05/05/2021 17:41, Taltavull Jean-Francois wrote:
> I've got keystone_sp.apache_mod = mod_auth_openidc
>
>
>> -----Original Message-----
>> From: Jonathan Rosser <jonathan.rosser at rd.bbc.co.uk>
>> Sent: mercredi, 5 mai 2021 17:57
>> To: openstack-discuss at lists.openstack.org
>> Subject: Re: [openstack-ansible] Keystone federation with OpenID needs
>> shibboleth
>>
>> Hi Jean-Francois,
>>
>> I have a similar deployment of Victoria on Ubuntu 18.04 using OIDC .
>>
>> On Ubuntu 18.04 libapache2-mod-auth-openidc and libapache2-mod-shib2 can't
>> be co-installed as they require conflicting versions of libcurl - see the
>> workaround here
>> https://github.com/openstack/openstack-ansible-
>> os_keystone/blob/master/vars/debian.yml#L58-L61
>>
>> For Ubuntu 20.04 these packages are co-installable so whenever keystone is
>> configured to be a SP both are installed, as here
>> https://github.com/openstack/openstack-ansible-
>> os_keystone/blob/master/vars/ubuntu-20.04.yml#L58-L60
>>
>> A starting point would be checking what you've got keystone_sp.apache_mod
>> set to in your config, as this drives how the apache config is constructed, here
>> https://github.com/openstack/openstack-ansible-
>> os_keystone/blob/master/tasks/main.yml#L51-L68
>>
>> In particular, if keystone_sp.apache_mod is undefined in your config, the
>> defaults assume mod_shib is required.
>>
>> You can also join us in the IRC channel #openstack-ansible we can debug further.
>>
>> Regards
>> Jonathan.



More information about the openstack-discuss mailing list