2117179 – minor updates from <= OSP 16.1.6 causes Keystone LDAP connections to fail if old OSP13 configs at /etc/openldap are present

Bug 2117179 - minor updates from <= OSP 16.1.6 causes Keystone LDAP connections to fail if old OSP13 configs at /etc/openldap are present

Summary: minor updates from <= OSP 16.1.6 causes Keystone LDAP connections to fail if ...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-keystone
Sub Component:
Version:	16.1 (Train)
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Douglas Mendizábal
QA Contact:	Jeremy Agee
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-08-10 09:09 UTC by alisci
Modified:	2023-01-03 18:07 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-01-03 18:07:04 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	OSP-18138	0	None	None	None	2022-08-10 09:15:46 UTC

Description alisci 2022-08-10 09:09:27 UTC

Description of problem:

minor updating from OSP 16.1.6 or less to OSP 16.1.7 or higher could cause Keystone LDAP connections to fail

it seems that starting from 16.1.7 keystone container it is mounting /etc/openldap RO at host. Stale and old OSP 13 config there could interfere with the keystone container to work

this scenario at controllers caused the issue:

grep TLS /etc/openldap/ldap.conf*
/etc/openldap/ldap.conf:TLS_CACERTDIR /etc/openldap/cacerts
/etc/openldap/ldap.conf.rpmnew:# by TLS_CACERTDIR one has to include them explicitly:
/etc/openldap/ldap.conf.rpmnew:#TLS_CACERT      /etc/pki/tls/cert.pem
/etc/openldap/ldap.conf.rpmnew:#TLS_CIPHER_SUITE PROFILE=SYSTEM

so TLS_CACERTDIR /etc/openldap/cacerts at ldap.conf was causing the issue

in this case overwriting /etc/openldap/ldap.conf by /etc/openldap/ldap.conf.rpmnew and restarting keystone container solved the issue

Version-Release number of selected component (if applicable):
rhosp-rhel8/openstack-keystone 16.1.6 container 

How reproducible:
check if you have old OSP 13 config files at /etc/openldap on controllers

Steps to Reproduce:
openstack user list --domain yourdomain

Actual results:
An unexpected error prevented the server from fulfilling your request. (HTTP 500) (Request-ID: req-d83a5468-536d-4c11-9d15-4a8a94d73108)


Expected results:
complete without errors

Additional info:

Note You need to log in before you can comment on or make changes to this bug.