Bug 1862448

Summary: OSP13: Getting error "ID attribute objectGUID not found in LDAP object" when listing user/group.
Product: Red Hat OpenStack Reporter: Shravan Kumar Tiwari <shtiwari>
Component: openstack-keystoneAssignee: Lance Bragstad <lbragsta>
Status: CLOSED ERRATA QA Contact: Nathan Weinberg <nweinber>
Severity: urgent Docs Contact:
Priority: high    
Version: 13.0 (Queens)CC: alee, elicohen, hrybacki, nweinber, oblaut
Target Milestone: z15Keywords: Triaged, ZStream
Target Release: 13.0 (Queens)   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: openstack-keystone-13.0.4-6.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1908413 (view as bug list) Environment:
Last Closed: 2021-03-18 13:08:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1908413    
Attachments:
Description Flags
ldap-pacp none

Description Shravan Kumar Tiwari 2020-07-31 13:11:41 UTC 
Created attachment 1703101 [details]
ldap-pacp

Description of problem:
Customer trying to add ldap authentication to director deployed OSP13 cluster following https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/13/html-single/integrate_with_identity_service

Deployment worked fine and But the moment that you try to list the users or groups of the new ldap domain, it's not working and you get the following error:
(oscar08) [stack@oscar08dir001 templates]$ o user list --domain tripleoldap
ID attribute objectGUID not found in LDAP object CN=id094671,OU=PER,OU=People,OU=BELGACOM,DC=BGC,DC=NET (HTTP 404) (Request-ID: req-1b33a2bb-57e6-4c59-8c8e-0beebde5c927)

Version-Release number of selected component (if applicable):
RHOSP13z12
RHEL7.8

How reproducible:
Integrate with identity service for ldap backend and having following config among other needed config.
user_id_attribute: objectGUID
group_id_attribute: objectGUID

the deployment and integration works fine and config files are generated in controllers but when try to get user or group list then error is displayed that objectGUID is not found in LDAP (the captured pcsp file for ldap response shows that objectGUID is correclty returned in response)

Steps to Reproduce:
1.
2.
3.

Actual results:
Customer is not able to get the list of user or group from Active directory if the user_id_attribute and group_id_attribute is set to objectGUID

Expected results:
Customer should be able to get the list of user or group from Active directory if the user_id_attribute and group_id_attribute is set to objectGUID

Additional info:

pcap file i.e. 0010-LDAP_request.pacp is attached for ldap request and response that clearly shows that ldap query response shows the return of objectGUID parameter so it seems that there is something wrong during parsing that value in openstack (did not find much information in keystone or httpd container logs).


Workaround tried:

Customer did an attempt of changing user_id_attribute=objectGUID to user_id_attribute=cn, this works and you get back the list of users.
(oscar08) [stack@oscar08dir001 templates]$ o user list --domain tripleoldap
+------------------------------------------------------------------+----------+
| ID                                                               | Name     |
+------------------------------------------------------------------+----------+
| 9210c244ab5535bb57b7e911552a35ecb3a3207407baaded87f46425389cdbb2 | id094671 |


Unfortunately when you have a long CN as id you will get the following issue:
(oscar08) [stack@oscar08dir001 templates]$ o group list --domain tripleoldap
String length exceeded. The length of string 'WKS PRD JAMS JOBS WKS VIEWERS
CNF:6055e926-cdb7-4962-a8d8-a2e42723ac6b' exceeds the limit of column local_id(CHAR(64)). (HTTP 400) (Request-ID: req-9ed64840-107f-4a0b-8c48-840b5c8d8c81)

Apparently the Opentack database field is not big enough to store our group CN's.
Comment 28 errata-xmlrpc 2021-03-18 13:08:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat OpenStack Platform 13.0 bug fix and enhancement advisory), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:0932