Bug 2049989

Summary: [OSP16.1] Empty ldap database in /etc/openldap/certs makes 'openstack user list' fail (when integrated with LDAP).
Product: Red Hat OpenStack Reporter: ggrimaux
Component: openstack-tripleo-heat-templatesAssignee: Grzegorz Grasza <ggrasza>
Status: CLOSED ERRATA QA Contact: Joe H. Rahme <jhakimra>
Severity: low Docs Contact:
Priority: low    
Version: 16.1 (Train)CC: dwilde, ggrasza, jschluet, mburns, tkajinam
Target Milestone: gaKeywords: Triaged
Target Release: 17.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-tripleo-heat-templates-14.3.1-0.20221124130331.feca772.el9ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-01-25 12:28:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description ggrimaux 2022-02-03 00:34:30 UTC 
Description of problem:
Client couldn't do:
(overcloud) [stack@undercloud tasks]$ openstack user list --domain domain.tld
An unexpected error prevented the server from fulfilling your request. (HTTP 500) (Request-ID: req-f818366a-e606-4225-a489-8b0e3bd8ccf1)
(overcloud) [stack@undercloud tasks]$ openstack user show test01  --domain domain.tld
get() takes 1 positional argument but 2 were given

An empty CA database was found in /etc/openldap/certs on the controller nodes.
We don't know who/what/when this was created.

Once the dir was moved to /etc/openldap/certs.bak, everything started working correctly.

This patch could detect and prevent this from happening:
https://review.opendev.org/c/openstack/tripleo-heat-templates/+/827573

Version-Release number of selected component (if applicable):
OSP16.1

How reproducible:
100%

Steps to Reproduce:
1. have an empty CA database in /etc/openldap/certs.
2. ldapsearch command doesn't work
3.

Actual results:
keystone integrated with LDAP stop working

Expected results:
keystone works fine.

Additional info:
Some output in next private comment
Comment 16 errata-xmlrpc 2023-01-25 12:28:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat OpenStack Platform 17.0.1 bug fix and enhancement advisory), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:0271