StarlingX

On Debian DX system openldap instance on controller-0 syncrepl on insecure port with peer

Bug #1989725 reported by Andy
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Low
Andy

Bug Description

Brief Description
-----------------
On a Debian DX system, openldap instance on controller-0 replicates with peer on insecure port.

Severity
--------
Minor (but when openldap insecure port is disabled, openldap on controller-0 will stop sync replication with controller-1).

Steps to Reproduce
-----------------
Deploy a Debian based DX system, check controller-0 openldap server syncrepl configuration by:
[root@controller-0 test(keystone_admin)]# grep -r provider /etc/ldap/schema/*
/etc/ldap/schema/cn=config/olcDatabase={1}mdb.ldif:olcSyncrepl: rid=000 provider=ldap://controller-1 bindmethod=simple timeout=

Expected Behavior
-----------------
The provider should be set to "provider=ldaps://controller-1"

Actual Behavior
--------------
The provider is set to "provider=ldap://controller-1"

Reproducibility
---------------
100% reproducible

System Configuration
--------------------
Debian DX system.

Branch/Pull Time/Commit
-----------------------
STX master

Last Pass
---------
This is from new feature.

Timestamp/Logs
-------------
Refer to "Steps to Reproduce"

Test Activity
-------------
Developer Testing.

Workaround
----------
N/A

Andy (andy.wrs)
Changed in starlingx:
assignee: nobody → Andy (andy.wrs)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to stx-puppet (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/stx-puppet/+/857891

Changed in starlingx:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to stx-puppet (master)

Reviewed: https://review.opendev.org/c/starlingx/stx-puppet/+/857891
Committed: https://opendev.org/starlingx/stx-puppet/commit/126d9a197e0985f1ecfa9deac9e3874253b97ea5
Submitter: "Zuul (22348)"
Branch: master

commit 126d9a197e0985f1ecfa9deac9e3874253b97ea5
Author: Andy Ning <email address hidden>
Date: Thu Sep 15 09:21:10 2022 -0400

    Fix openldap syncrepl on insecure port with peer

    For a Debian based DX system, the openldap instance on controller-0
    currently sync replicates with peer on controller-1 on insecure
    port, while instance on controller-1 sync replicates with peer on
    controller-0 on secure port.

    This is because openldap syncrepl on controller-0 is configured
    during bootstrap where it takes the default provider_uri value
    (which has the insecure port) from controller hieradata. This change
    moved the default value from controller hieradata to ldap puppet
    params class, with different protocols for CentOS and Debian.

    Test Plan:
    PASS: DX system deployment
    PASS: Check syncrepl section in slapd.conf.backup, on each controller,
          it should contain:
          provider=ldaps://<controller>
          tls_cert="/etc/ldap/certs/openldap-cert.crt"
          tls_key="/etc/ldap/certs/openldap-cert.key"
          tls_cacert="/etc/ssl/certs/ca-certificates.crt"
          tls_reqsan=demand
    PASS: On one controller, add a new openldap user, and check the
          newly added user exists on the other controller by:
          ldapsearch -xH ldaps://<the other controller>
          -b 'ou=people,dc=cgcs,dc=local' '(objectclass=*)' |
          grep <the newly added user>
    PASS: After active controller swact, repeat TC #3 again.

    Closes-Bug: 1989725
    Signed-off-by: Andy Ning <email address hidden>
    Change-Id: Iedb5ff0af78814b21be2ebc6fac2b809335d2a3c

Changed in starlingx:
status: In Progress → Fix Released
Ghada Khalil (gkhalil)
Changed in starlingx:
importance: Undecided → Low
tags: added: stx.8.0 stx.distcloud stx.security
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.