From: Jacob Liberman <jliberma@redhat.com>
Date: Thu, 1 Jun 2017 14:33:21 +0000 (-0500)
Subject: Add conditional for setting authlogin_nsswitch_use_ldap selboolean
X-Git-Url: https://gerrit.opnfv.org/gerrit/gitweb?a=commitdiff_plain;h=7ea37eaadc8f6daf5524c20cb6dfa7ee525c966f;p=apex-puppet-tripleo.git

Add conditional for setting authlogin_nsswitch_use_ldap selboolean

If selinux is enabled the authlogin_nsswitch_use_ldap Boolean must
be enabled. This setting allows LDAP communications to the confined
LDAP/server port. This change includes a conditional for enabling this
Boolean only when selinux is in use.

Change-Id: If985f2434d28fcd33198929bf61f2a3a82e601fe
Closes-Bug: #1695002
(cherry picked from commit 90704a6017f7c539e3c1fed038ed247763619380)
---

diff --git a/manifests/profile/base/keystone.pp b/manifests/profile/base/keystone.pp
index 9aa3eb3..87f6c7f 100644
--- a/manifests/profile/base/keystone.pp
+++ b/manifests/profile/base/keystone.pp
@@ -172,6 +172,12 @@ class tripleo::profile::base::keystone (
 
     if $ldap_backend_enable {
       validate_hash($ldap_backends_config)
+      if !str2bool($::selinux) {
+        selboolean { 'authlogin_nsswitch_use_ldap':
+            value      => on,
+            persistent => true,
+        }
+      }
       create_resources('::keystone::ldap_backend', $ldap_backends_config, {
         create_domain_entry => $manage_domain,
       })