2049989 – [OSP16.1] Empty ldap database in /etc/openldap/certs makes 'openstack user list' fail (when integrated with LDAP).

Bug 2049989 - [OSP16.1] Empty ldap database in /etc/openldap/certs makes 'openstack user list' fail (when integrated with LDAP).

Summary: [OSP16.1] Empty ldap database in /etc/openldap/certs makes 'openstack user li...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-tripleo-heat-templates
Sub Component:
Version:	16.1 (Train)
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	low
Target Milestone:	ga
Target Release:	17.0
Assignee:	Grzegorz Grasza
QA Contact:	Joe H. Rahme
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-02-03 00:34 UTC by ggrimaux
Modified:	2023-01-25 12:29 UTC (History)
CC List:	5 users (show)
Fixed In Version:	openstack-tripleo-heat-templates-14.3.1-0.20221124130331.feca772.el9ost
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-01-25 12:28:47 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
OpenStack gerrit	827573	None	master: MERGED	tripleo-heat-templates: Cleanup openldap certs database (Ia76b5ab2e319d66666f109aefe22fb83778b6f2d)	2022-12-07 20:00:02 UTC
OpenStack gerrit	862692	None	stable/train: NEW	tripleo-heat-templates: Cleanup openldap certs database (Ia76b5ab2e319d66666f109aefe22fb83778b6f2d)	2022-12-07 20:00:08 UTC
Red Hat Issue Tracker	OSP-12451	None	None	None	2022-02-03 00:36:16 UTC
Red Hat Knowledge Base (Solution)	6699291	None	None	None	2022-02-03 00:58:03 UTC
Red Hat Product Errata	RHBA-2023:0271	None	None	None	2023-01-25 12:29:38 UTC

Description ggrimaux 2022-02-03 00:34:30 UTC

Description of problem:
Client couldn't do:
(overcloud) [stack@undercloud tasks]$ openstack user list --domain domain.tld
An unexpected error prevented the server from fulfilling your request. (HTTP 500) (Request-ID: req-f818366a-e606-4225-a489-8b0e3bd8ccf1)
(overcloud) [stack@undercloud tasks]$ openstack user show test01  --domain domain.tld
get() takes 1 positional argument but 2 were given

An empty CA database was found in /etc/openldap/certs on the controller nodes.
We don't know who/what/when this was created.

Once the dir was moved to /etc/openldap/certs.bak, everything started working correctly.

This patch could detect and prevent this from happening:
https://review.opendev.org/c/openstack/tripleo-heat-templates/+/827573

Version-Release number of selected component (if applicable):
OSP16.1

How reproducible:
100%

Steps to Reproduce:
1. have an empty CA database in /etc/openldap/certs.
2. ldapsearch command doesn't work
3.

Actual results:
keystone integrated with LDAP stop working

Expected results:
keystone works fine.

Additional info:
Some output in next private comment

Comment 16 errata-xmlrpc 2023-01-25 12:28:47 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat OpenStack Platform 17.0.1 bug fix and enhancement advisory), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:0271

Note You need to log in before you can comment on or make changes to this bug.