I'm migrating the troubleshooting of Keystone/Horizon AD LDAP issues that <Cu> is seeing  in RHOSSTRAT-949 to this bug ticket so that it can be worked outside of the Epic.

Comment Thread:

 
tadianto@redhat.com added a comment  2025/11/07 2:24 AM  Restricted to Red Hat Employee
jjung@redhat.com We did successfully configured the LDAP integration with AD, and we can use AD user to interact with Openstack through CLI, however there is no way to use the AD user to login via horizon as it always authenticated against local Keystone user.  is there a way to configure this? we can help to test it.
Pin
 

 Collapse comment: Dave Wilde added a comment - 2025/11/07 11:03 AM

dwilde@redhat.com added a comment - 2025/11/07 11:03 AM
tadianto@redhat.com this sounds like it might be a WEBSSO setting in Horizon, I'm going to loop in rhn-engineering-rdopiera and omcgonag@redhat.com to see if they know.  jagee@redhat.com might also be able to shed some light on it.

Thanks,

/Dave 
Edit DeletePin
 

 Collapse comment: Radomir Dopieralski added a comment - 2025/11/19 8:39 AM

rhn-engineering-rdopiera added a comment - 2025/11/19 8:39 AM
dwilde@redhat.com there is a whole bunch of WEBSSO settings in Horizon, but from reading this issue and the comments I'm not sure what it is exactly that you want to configure? The settings reference is at https://docs.openstack.org/horizon/latest/configuration/settings.html#websso-choices
Pin
 

 Collapse comment: Owen McGonagle added a comment - 2025/11/19 9:40 AM - Restricted to Red Hat Employee, Edited by Owen McGonagle - 2025/11/19 9:40 AM

omcgonag@redhat.com added a comment  2025/11/19 9:40 AM  Restricted to Red Hat Employee - edited
my last experience using WEBSSO settings was with the multi-region testing for Telefonica

The Horizon configuration settings for that environment looked a bit like:

Would something similar to this be relative to the current issue at hand?

meanwhile, we can look at the other WEBSSO options?

Do we have access to a system exhibiting the error(s)?

OPENSTACK_ENDPOINT_TYPE = "publicURL"
OPENSTACK_KEYSTONE_URL = "https://keystone-public-okstack.apps-crc.testing/v3"
WEBSSO_ENABLED = True
WEBSSO_CHOICES = (
  ("credentials", _("Keystone Credentials")),
  ("OIDC", _("OpenID Connect")),
)
WEBSSO_IDP_MAPPING = {
  "OIDC": ("kcIDP", "openid"),
}
AVAILABLE_REGIONS = [
    ("https://keystone-public-okstack.apps-crc.testing/v3", 'regionThree'),
    ("https://keystone-public-okstack.apps-crc.testing/v3", 'regionFour'),
]
DEFAULT_SERVICE_REGIONS = {
    '*': 'regionThree',
    OPENSTACK_KEYSTONE_URL: 'regionFour',
}

we had done that through a customServiceConfig update

  horizon:
    apiOverride:
      route: {}
    enabled: true
    template:
      customServiceConfig: |
        OPENSTACK_ENDPOINT_TYPE = "publicURL"
        OPENSTACK_KEYSTONE_URL = "https://keystone-public-okstack.apps-crc.testing/v3"
        WEBSSO_ENABLED = True
        WEBSSO_CHOICES = (
          ("credentials", _("Keystone Credentials")),
          ("OIDC", _("OpenID Connect")),
        )
        WEBSSO_IDP_MAPPING = {
          "OIDC": ("kcIDP", "openid"),
        }
        AVAILABLE_REGIONS = [
            ("https://keystone-public-okstack.apps-crc.testing/v3", 'regionThree'),
            ("https://keystone-public-okstack.apps-crc.testing/v3", 'regionFour'),
        ]
        DEFAULT_SERVICE_REGIONS = {
            '*': 'regionThree',
            OPENSTACK_KEYSTONE_URL: 'regionFour',
        }

Pin
 

 Collapse comment: Dave Wilde added a comment - 2025/11/19 9:53 AM

dwilde@redhat.com added a comment - 2025/11/19 9:53 AM
Thanks Owen and Radomir,

We don't have a system to test this with at the moment.  I can get jagee@redhat.com to try to set something up when he's back in the office. These settings look promising to me, tadianto@redhat.com are we able to test these updates in the Cu environment?

Thanks,

/Dave
Edit DeletePin
 

 Collapse comment: Owen McGonagle added a comment - 2025/11/19 12:40 PM - Restricted to Red Hat Employee, Edited by Owen McGonagle - 2025/11/19 12:42 PM

omcgonag@redhat.com added a comment  2025/11/19 12:40 PM  Restricted to Red Hat Employee - edited
Looking around a bit more, you may need to set these variables also

WEBSSO_ENABLED = True
OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True
OPENSTACK_KEYSTONE_DOMAIN_DROPDOWN = True

OPENSTACK_KEYSTONE_DOMAIN_CHOICES = (
    ('domain1', 'AD Domain 1'),
    ('domain2', 'AD Domain 2'),
)

Same with a customServiceConfig update

horizon:
    template:
      customServiceConfig: |
        OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True
        OPENSTACK_KEYSTONE_DOMAIN_DROPDOWN = True
        OPENSTACK_KEYSTONE_DOMAIN_CHOICES = (
            ('domain1', 'AD Domain 1'),
            ('domain2', 'AD Domain 2'),
        )

Pin
 

 Collapse comment: Troy Adianto added a comment - 2025/11/19 11:52 PM - Restricted to Red Hat Employee

tadianto@redhat.com added a comment  2025/11/19 11:52 PM  Restricted to Red Hat Employee
Thanks Owen and Radomir for the feedback.

dwilde@redhat.com What kind of timeline we're looking at to be able to test confirm this configuration internally first? I would be much prefer that we don't do trial and error in customer environment as it will further impacting negatively the customer perception on our product maturity.
Pin
 

 Collapse comment: Jeremy Agee added a comment - 2025/11/20 8:46 AM

jagee@redhat.com added a comment - 2025/11/20 8:46 AM
Dave mentioned getting a internal test env up for a ldap backend for horizon testing. im going to deploy a ldap component job with horzon and set it to autohold so we can do some internal testing. ill post details when i have the system up for use.
Pin
 

 Collapse comment: Jeremy Agee added a comment - 2025/11/25 9:12 AM

jagee@redhat.com added a comment - 2025/11/25 9:12 AM
the testproject for internal testing is this one.

https://gitlab.cee.redhat.com/ci-framework/ci-framework-testproject/-/merge_requests/1740
Pin
 

 Collapse comment: Owen McGonagle added a comment - 2025/11/25 10:30 AM - Restricted to Red Hat Employee, Edited by Owen McGonagle - 2025/11/25 1:52 PM

omcgonag@redhat.com added a comment  2025/11/25 10:30 AM  Restricted to Red Hat Employee - edited
Hi tadianto@redhat.com

Could you share the changes you made to the Horizon configuration to support your WEBSSO++ settings?

We would like to examine how you configured Horizon.

Thanks,
Owen.
Pin
 

 Collapse comment: Jeremy Agee added a comment - 2025/11/25 5:34 PM

jagee@redhat.com added a comment - 2025/11/25 5:34 PM
There is a OSP18 test system on autohold for 5 days. Here is the info
https://sf.apps.int.gpc.ocp-hub.prod.psi.redhat.com/zuul/t/components-integration/build/e7871c3c0ccc490782b491d53f7b1e70/log/zuul-info/inventory.yaml

The rhos-jenkins private key will get you onto any system.
https://gitlab.cee.redhat.com/eng/openstack/rhos-qe-jenkins/-/blob/master/infra/slaves/ssh/id_rsa?ref_type=heads

to access horizon you can use:
sshuttle -r core@10.0.199.140 192.168.122.0/2

on your local system where shuttle is used you need the following in your /etc/hosts
192.168.122.10 api.crc.testing canary-openshift-ingress-canary.apps-crc.testing console-openshift-console.apps-crc.testing default-route-openshift-image-registry.apps-crc.testing downloads-openshift-console.apps-crc.testing oauth-openshift.apps-crc.testing horizon-openstack.apps-crc.testing keystone-public-openstack.apps-crc.testing keycloak-openstack.apps-crc.testing

Connect vi browser to horizon-openstack.apps-crc.testing

The ldap users are in the REDHAT domain

export OS_USER_DOMAIN_NAME="REDHAT"
export OS_USERNAME=ipauser1
export OS_PASSWORD="nomoresecrets"

cli shows its working here.

[zuul@controller ci-framework-data]$ oc rsh openstackclient
sh-5.1$ ./get-token.sh ipauser1
gAAAAABpJjpRcDAnDGl5x8OAiScSxEefB_1OuwsntpsqaUwZVZdUe16i82LjB9xT4C8DGexKNu4qWCiSZi_bNbbOK93z651GJ7a9L7PZ4J4RRra6ZZuHMF0ZEcPVZuIe0wbQ5a5rJmsiAYXoV2OsNVybALJB-WucHoltUWex2E_Vy7t1o-NmgVffezHQG5GnNzgluENg58X8H78xGTLVVFwlNLc36Er95w

if someone of the ui team could assist in modifying horizon. we should need something like this to allow the default and redhat domains in the git. from there we can test the ipauser1 user on the redhat domain.

horizon:
    template:
      customServiceConfig: |
        OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True
        OPENSTACK_KEYSTONE_DOMAIN_DROPDOWN = True
        OPENSTACK_KEYSTONE_DOMAIN_CHOICES = (
            ('Default', 'Default'),
            ('REDHAT', 'IPA ldap users'),
        )

Please note I will be on pto/holiday for the rest of this week.
Pin
 

 Collapse comment: Jeremy Agee added a comment - 2025/11/25 5:37 PM

jagee@redhat.com added a comment - 2025/11/25 5:37 PM
Also i would like to mention that i read a few comments regarding info on websso and openid. this is all federation info and this is a different type of external user access compared to a ldap user in keystone.
Pin
 

 Collapse comment: Troy Adianto added a comment - 2025/11/25 11:57 PM - Restricted to Red Hat Employee

tadianto@redhat.com added a comment  2025/11/25 11:57 PM  Restricted to Red Hat Employee
Hi Owen,

   We just use default horizon setup, so there is no specific configuration over there.

jagee@redhat.com Thanks for the testing, however the link is not accessible, am i supposed to be able to access it.

Troy
Pin
 

 Collapse comment: Radomir Dopieralski added a comment - 2025/11/26 3:07 AM, Edited by Radomir Dopieralski - 2025/11/26 3:08 AM

rhn-engineering-rdopiera added a comment  2025/11/26 3:07 AM  edited
jagee@redhat.com if there is no SSO or regions involved, then the configuration you are proposing should be sufficient.