Description of problem:
minor updating from OSP 16.1.6 or less to OSP 16.1.7 or higher could cause Keystone LDAP connections to fail
it seems that starting from 16.1.7 keystone container it is mounting /etc/openldap RO at host. Stale and old OSP 13 config there could interfere with the keystone container to work
this scenario at controllers caused the issue:
grep TLS /etc/openldap/ldap.conf*
/etc/openldap/ldap.conf:TLS_CACERTDIR /etc/openldap/cacerts
/etc/openldap/ldap.conf.rpmnew:# by TLS_CACERTDIR one has to include them explicitly:
/etc/openldap/ldap.conf.rpmnew:#TLS_CACERT /etc/pki/tls/cert.pem
/etc/openldap/ldap.conf.rpmnew:#TLS_CIPHER_SUITE PROFILE=SYSTEM
so TLS_CACERTDIR /etc/openldap/cacerts at ldap.conf was causing the issue
in this case overwriting /etc/openldap/ldap.conf by /etc/openldap/ldap.conf.rpmnew and restarting keystone container solved the issue
Version-Release number of selected component (if applicable):
rhosp-rhel8/openstack-keystone 16.1.6 container
How reproducible:
check if you have old OSP 13 config files at /etc/openldap on controllers
Steps to Reproduce:
openstack user list --domain yourdomain
Actual results:
An unexpected error prevented the server from fulfilling your request. (HTTP 500) (Request-ID: req-d83a5468-536d-4c11-9d15-4a8a94d73108)
Expected results:
complete without errors
Additional info: