OpenStack Identity (keystone)

Keystone LDAP jobs are failing with ldap_modify: No such object (32)

Bug #1939700 reported by Lance Bragstad
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
High
Grzegorz Grasza

Bug Description

If you enable LDAP in a devstack deployment you get errors about ldap_modify failing.

Example local.conf:

enable_service ldap
LDAP_PASSWORD=ldap_password

Failure:

LDAP_PASSWORD is nomoresecret
+ lib/ldap:install_ldap:133 : local slappass
++ lib/ldap:install_ldap:134 : slappasswd -s nomoresecret
+ lib/ldap:install_ldap:134 : slappass='{SSHA}/osxUNAJm+sWLGkdQu2Y3n6uMqRlrIiO'
+ lib/ldap:install_ldap:135 : printf 'LDAP secret is {SSHA}/osxUNAJm+sWLGkdQu2Y3n6uMqRlrIiO\n'
LDAP secret is {SSHA}/osxUNAJm+sWLGkdQu2Y3n6uMqRlrIiO
+ lib/ldap:install_ldap:138 : _ldap_varsubst /opt/stack/devstack/files/ldap/manager.ldif.in '{SSHA}/osxUNAJm+sWLGkdQu2Y3n6uMqRlrIiO'
+ lib/ldap:_ldap_varsubst:55 : local infile=/opt/stack/devstack/files/ldap/manager.ldif.in
+ lib/ldap:_ldap_varsubst:56 : local 'slappass={SSHA}/osxUNAJm+sWLGkdQu2Y3n6uMqRlrIiO'
+ lib/ldap:_ldap_varsubst:57 : sed -e '
        s|${LDAP_OLCDB_NUMBER}|1|
        s|${SLAPPASS}|{SSHA}/osxUNAJm+sWLGkdQu2Y3n6uMqRlrIiO|
        s|${LDAP_ROOTPW_COMMAND}|replace|
        s|${BASE_DC}|openstack|
        s|${BASE_DN}|dc=openstack,dc=org|
        s|${MANAGER_DN}|cn=Manager,dc=openstack,dc=org|
    ' /opt/stack/devstack/files/ldap/manager.ldif.in
+ lib/ldap:install_ldap:139 : sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/ldap.2825.9hlx71VbGB/manager.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldap_modify: No such object (32)
 matched DN: cn=config
modifying entry "olcDatabase={1}hdb,cn=config"

+ lib/ldap:install_ldap:1 : exit_trap
+ ./stack.sh:exit_trap:507 : local r=32
++ ./stack.sh:exit_trap:508 : jobs -p
+ ./stack.sh:exit_trap:508 : jobs=
+ ./stack.sh:exit_trap:511 : [[ -n '' ]]
+ ./stack.sh:exit_trap:517 : '[' -f '' ']'
+ ./stack.sh:exit_trap:522 : kill_spinner
+ ./stack.sh:kill_spinner:417 : '[' '!' -z '' ']'
+ ./stack.sh:exit_trap:524 : [[ 32 -ne 0 ]]
+ ./stack.sh:exit_trap:525 : echo 'Error on exit'
Error on exit
+ ./stack.sh:exit_trap:527 : type -p generate-subunit
+ ./stack.sh:exit_trap:528 : generate-subunit 1628755633 252 fail
+ ./stack.sh:exit_trap:530 : [[ -z /opt/stack/logs ]]
+ ./stack.sh:exit_trap:533 : /usr/bin/python3.8 /opt/stack/devstack/tools/worlddump.py -d /opt/stack/logs
+ ./stack.sh:exit_trap:542 : exit 32

This is also affecting keystone LDAP domain-specific drivers job.

Revision history for this message
Lance Bragstad (lbragstad) wrote :

Setting this to CI since it impacts a CI job (even though it isn't voting).

Changed in keystone:
status: New → Triaged
importance: Undecided → High
Grzegorz Grasza (xek)
Changed in keystone:
assignee: nobody → Grzegorz Grasza (xek)
Revision history for this message
Grzegorz Grasza (xek) wrote :

The fix: https://review.opendev.org/c/openstack/devstack/+/804614

Radosław Piliszek (yoctozepto)
Changed in keystone:
status: Triaged → In Progress
Revision history for this message
David Wilde (dave-wilde) wrote :

The fix has merged, so I'm closing this out. Feel free to re-open if this is still an issue.

Changed in keystone:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.