Created attachment 1703101 [details] ldap-pacp Description of problem: Customer trying to add ldap authentication to director deployed OSP13 cluster following https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/13/html-single/integrate_with_identity_service Deployment worked fine and But the moment that you try to list the users or groups of the new ldap domain, it's not working and you get the following error: (oscar08) [stack@oscar08dir001 templates]$ o user list --domain tripleoldap ID attribute objectGUID not found in LDAP object CN=id094671,OU=PER,OU=People,OU=BELGACOM,DC=BGC,DC=NET (HTTP 404) (Request-ID: req-1b33a2bb-57e6-4c59-8c8e-0beebde5c927) Version-Release number of selected component (if applicable): RHOSP13z12 RHEL7.8 How reproducible: Integrate with identity service for ldap backend and having following config among other needed config. user_id_attribute: objectGUID group_id_attribute: objectGUID the deployment and integration works fine and config files are generated in controllers but when try to get user or group list then error is displayed that objectGUID is not found in LDAP (the captured pcsp file for ldap response shows that objectGUID is correclty returned in response) Steps to Reproduce: 1. 2. 3. Actual results: Customer is not able to get the list of user or group from Active directory if the user_id_attribute and group_id_attribute is set to objectGUID Expected results: Customer should be able to get the list of user or group from Active directory if the user_id_attribute and group_id_attribute is set to objectGUID Additional info: pcap file i.e. 0010-LDAP_request.pacp is attached for ldap request and response that clearly shows that ldap query response shows the return of objectGUID parameter so it seems that there is something wrong during parsing that value in openstack (did not find much information in keystone or httpd container logs). Workaround tried: Customer did an attempt of changing user_id_attribute=objectGUID to user_id_attribute=cn, this works and you get back the list of users. (oscar08) [stack@oscar08dir001 templates]$ o user list --domain tripleoldap +------------------------------------------------------------------+----------+ | ID | Name | +------------------------------------------------------------------+----------+ | 9210c244ab5535bb57b7e911552a35ecb3a3207407baaded87f46425389cdbb2 | id094671 | Unfortunately when you have a long CN as id you will get the following issue: (oscar08) [stack@oscar08dir001 templates]$ o group list --domain tripleoldap String length exceeded. The length of string 'WKS PRD JAMS JOBS WKS VIEWERS CNF:6055e926-cdb7-4962-a8d8-a2e42723ac6b' exceeds the limit of column local_id(CHAR(64)). (HTTP 400) (Request-ID: req-9ed64840-107f-4a0b-8c48-840b5c8d8c81) Apparently the Opentack database field is not big enough to store our group CN's.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Red Hat OpenStack Platform 13.0 bug fix and enhancement advisory), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:0932