Description of problem: I am reporting this bug while going on investigating it. I have not managed to reproduce it. Only in customer environment. customer executes: oc adm groups sync --sync-config=/etc/ldap/ldap-group-sync.yaml --confirm oc adm groups prune --sync-config=/etc/ldap/ldap-group-sync.yaml --confirm the first command sync's the groups and the second is deleting ALL of them. Version-Release number of selected component (if applicable): 4.5 How reproducible: only customer. Checking the logs with --loglevel=8 we can see these messages: klog.V(1).Infof("LDAPGroupPruner will attempt to prune ldapGroupUIDs %v", ldapGroupUIDs) klog.V(1).Infof("Checking LDAP group %v", ldapGroupUID) But not this one for each group: klog.V(4).Infof("searching LDAP server with config %v with dn=%q and scope %v for %s requesting %v", clientConfig, query.BaseDN, query.Scope, query.Filter, query.Attributes) I will attach the full logs as private attachment. But the key part is here: I0916 07:59:34.150165 20766 grouppruner.go:54] Checking LDAP group CN=xxxxxxxx,OU=yyyy,DC=example,DC=com I0916 07:59:34.150259 20766 round_trippers.go:420] DELETE https://api.cluster.domain:6443/apis/user.openshift.io/v1/groups/xxxxxxxx the same in my env is showing the request: I0831 10:50:52.703765 26878 grouppruner.go:53] LDAPGroupPruner will attempt to prune ldapGroupUIDs [cn=bz_redhat,ou=servicegroups,dc=redhat,dc=com] I0831 10:50:52.703781 26878 grouppruner.go:56] Checking LDAP group cn=bz_redhat,ou=servicegroups,dc=redhat,dc=com I0831 10:50:52.746416 26878 query.go:232] searching LDAP server with config {Scheme: ldaps Host: ldap.corp.redhat.com:636 BindDN: uid=gparente,ou=users,dc=redhat,dc=com len(BbindPassword): 9 Insecure: false} with dn="cn=bz_redhat,ou=servicegroups,dc=redhat,dc=com" and scope 0 for (objectClass=*) requesting [cn dn uniqueMember] Checking the code: for _, ldapGroupUID := range ldapGroupUIDs { klog.V(1).Infof("Checking LDAP group %v", ldapGroupUID) exists, err := s.GroupDetector.Exists(ldapGroupUID) if err != nil { fmt.Fprintf(s.Err, "Error determining LDAP group existence for group %q: %v.\n", ldapGroupUID, err) errors = append(errors, err) continue } if exists { continue } // if the LDAP entry that was previously used to create the group doesn't exist, prune it groupName, err := s.GroupNameMapper.GroupNameFor(ldapGroupUID) if err != nil { fmt.Fprintf(s.Err, "Error determining OpenShift group name for LDAP group %q: %v.\n", ldapGroupUID, err) errors = append(errors, err) continue } if !s.DryRun { if err := s.GroupClient.Delete(groupName, nil); err != nil { fmt.Fprintf(s.Err, "Error pruning OpenShift group %q: %v.\n", groupName, err) errors = append(errors, err) continue } } fmt.Fprintf(s.Out, "group/%s\n", groupName) I don't see any of the error messages I should see if there's a problem with existence. I will appreciate some help to debug this issue further. I am still working to find the root cause. thanks
I'm going to have to move this to the the `oc` component to ever get this addressed, I'm afraid.
Iām adding UpcomingSprint, because I was occupied by fixing bugs with higher priority/severity, developing new features with higher priority, or developing new features to improve stability at a macro level. I will revisit this bug next sprint.
Awaiting more debug information...
@maszulik are you able to provide a status update please? did this make it into a sprint yet? I'm asking in relation to case 02727947. Thanks!
Pushing this over to 4.8 since 4.7 is closed.
Arda see if we can safely bump go-ldap (the linked PR already merge), sync with Standa how to properly test this setup to ensure we don't regress.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.12.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:7399