[openstack-ansible] Keystone federation with OpenID needs shibboleth

Taltavull Jean-Francois jean-francois.taltavull at elca.ch
Thu May 6 17:33:02 UTC 2021

Your patch is ok, that’s what I did by superseding the variable “keystone_apache_modules”.

Ansible -vvv trace shows that the task parameters are correct, but the apache shib module remains enabled. Anyway, authentication still fails and I get “valid-user: denied” in apache logs because of a weird interference with libapache2-mod-shib package.

For now, the workaround I’ve found is not to install the libapache2-mod-shib package:
“openstack-ansible os-keystone-install.yml --extra-vars '{"keystone_sp_distro_packages":["libapache2-mod-auth-openidc"]}'”

And everything works fine (if you don’t need shibboleth), keystone deployment and openid auth. But this is just a workaround.

From: Jonathan Rosser <jonathan.rosser at rd.bbc.co.uk>
Sent: jeudi, 6 mai 2021 11:21
To: openstack-discuss at lists.openstack.org
Subject: Re: [openstack-ansible] Keystone federation with OpenID needs shibboleth

I've made a patch to correct this module name which it would be great if you could test and leave a comment if it's OK


Are you able to debug any further why the shib module is being enabled, maybe through using -vv on the openstack-ansible command to show the task parameters, or adding some debug tasks in os_keystone to show the values of keystone_sp_apache_mod_shib and keystone_sp_apache_mod_auth_openidc?
On 06/05/2021 09:17, Taltavull Jean-Francois wrote:

I forgot to mention: in Ubuntu 20.04, the apache shibboleth module is named "shib" and not "sib2". So, I had to supersede the variable

" keystone_apache_modules". If you don't do this, os-keystone playbook fails with " "Failed to set module shib2 to disabled:\n\nMaybe the module identifier (mod_shib) was guessed incorrectly.Consider setting the \"identifier\" option.", "rc": 1, "stderr": "ERROR: Module shib2 does not exist!\n"".

So, apache modules enabled are:

- shib

- auth_openidc

- proxy_uwsgi

- headers

-----Original Message-----

From: Jonathan Rosser <jonathan.rosser at rd.bbc.co.uk><mailto:jonathan.rosser at rd.bbc.co.uk>

Sent: mercredi, 5 mai 2021 19:19

To: openstack-discuss at lists.openstack.org<mailto:openstack-discuss at lists.openstack.org>

Subject: Re: [openstack-ansible] Keystone federation with OpenID needs


Could you check which apache modules are enabled?

The set is defined in the code here



On 05/05/2021 17:41, Taltavull Jean-Francois wrote:

I've got keystone_sp.apache_mod = mod_auth_openidc

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20210506/ed570f6c/attachment.html>

More information about the openstack-discuss mailing list