[openstack-ansible] Keystone federation with OpenID needs shibboleth

Jonathan Rosser jonathan.rosser at rd.bbc.co.uk
Thu May 6 09:20:58 UTC 2021

I've made a patch to correct this module name which it would be great if 
you could test and leave a comment if it's OK


Are you able to debug any further why the shib module is being enabled, 
maybe through using -vv on the openstack-ansible command to show the 
task parameters, or adding some debug tasks in os_keystone to show the 
values of keystone_sp_apache_mod_shib and 

On 06/05/2021 09:17, Taltavull Jean-Francois wrote:
> I forgot to mention: in Ubuntu 20.04, the apache shibboleth module is named "shib" and not "sib2". So, I had to supersede the variable
> " keystone_apache_modules". If you don't do this, os-keystone playbook fails with " "Failed to set module shib2 to disabled:\n\nMaybe the module identifier (mod_shib) was guessed incorrectly.Consider setting the \"identifier\" option.", "rc": 1, "stderr": "ERROR: Module shib2 does not exist!\n"".
> So, apache modules enabled are:
> - shib
> - auth_openidc
> - proxy_uwsgi
> - headers
>> -----Original Message-----
>> From: Jonathan Rosser <jonathan.rosser at rd.bbc.co.uk>
>> Sent: mercredi, 5 mai 2021 19:19
>> To: openstack-discuss at lists.openstack.org
>> Subject: Re: [openstack-ansible] Keystone federation with OpenID needs
>> shibboleth
>> Could you check which apache modules are enabled?
>> The set is defined in the code here
>> https://github.com/openstack/openstack-ansible-
>> os_keystone/blob/master/vars/ubuntu-20.04.yml#L85-L95
>> On 05/05/2021 17:41, Taltavull Jean-Francois wrote:
>>> I've got keystone_sp.apache_mod = mod_auth_openidc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20210506/849db0ef/attachment-0001.html>

More information about the openstack-discuss mailing list