StarlingX

Bug #2039870
Comment #0

Comment 0 for bug 2039870

Revision history for this message

Carmen Rata (crata) wrote on 2023-10-19:

Brief Description
-----------------

Not able to source openrc file for a wad user after admin password change and reset back to original password.

Severity
--------

Major

Steps to Reproduce
------------------

Add remote AD details using service parameter on the system:

system service-parameter-add identity ldap-domain1 domain_name=ad.domain.com
system service-parameter-add identity ldap-domain1 ldap_uri=ldaps://ad.domain.com
system service-parameter-add identity ldap-domain1 ldap_access_filter=memberOf=CN=users,DC=ad,DC=domain,DC=com
system service-parameter-add identity ldap-domain1 ldap_search_base=CN=users,DC=ad,DC=domain,DC=com
system service-parameter-add identity ldap-domain1 ldap_default_bind_dn=CN=admin_user,CN=users,DC=ad,DC=domain,DC=com
system service-parameter-add identity ldap-domain1 ldap_default_authtok=<authtoken>
system service-parameter-add identity ldap-domain1 ldap_user_search_base=CN=users,DC=ad,DC=domain,DC=com
system service-parameter-add identity ldap-domain1 ldap_group_search_base=CN=groups,DC=ad,DC=domain,DC=com
system service-parameter-apply identity --section ldap-domain1
Install AD cert on the system:

system certificate-install -m ssl_ca <ad.crt>

[sysadmin@controller-0 ~(keystone_admin)]$ ssh <email address hidden>@controller-0
source openrc file

<email address hidden>@controller-0:~$ source /etc/platform/openrc
[<email address hidden>@controller-0 ~(keystone_admin)]$

Manually change admin passowrd:

[sysadmin@controller-0 ~(keystone_admin)]$ openstack user password set --os-region-name RegionOne --password '<passwd_change1' --original-password '<passwd_orig>'
[sysadmin@controller-0 ~(keystone_admin)]$ keyring get CGCS admin
KVLcix0*

[sysadmin@controller-0 ~(keystone_admin)]$ source /etc/platform/openrc
[sysadmin@controller-0 ~(keystone_admin)]$ openstack user password set --os-region-name RegionOne --password '<passwd_change2>' --original-password '<passwd_change1'
[sysadmin@controller-0 ~(keystone_admin)]$ keyring get CGCS admin
Li70nux*

[sysadmin@controller-0 ~(keystone_admin)]$ source /etc/platform/openrc
[sysadmin@controller-0 ~(keystone_admin)]$ openstack user password set --os-region-name RegionOne --password '<passwd_change3' --original-password '<passwd_change2'
[sysadmin@controller-0 ~(keystone_admin)]$ keyring get CGCS admin
Li71nux*

Reset back to original password.

[sysadmin@controller-0 ~(keystone_admin)]$ source /etc/platform/openrc
[sysadmin@controller-0 ~(keystone_admin)]$ openstack user password set --os-region-name RegionOne --password '<passwd_orig' --original-password '<passwd_change3'
[sysadmin@controller-0 ~(keystone_admin)]$ keyring get CGCS admin
Li69nux*

Expected Behavior
------------------

<email address hidden>@controller-0:~$ source /etc/platform/openrc
[<email address hidden>@controller-0 ~(keystone_admin)]$

Actual Behavior
----------------

<email address hidden>@controller-0:~$ source /etc/platform/openrc
Not enough privileges to read keyring password.
controller-0:~${code}

Reproducibility
---------------
Reproducible

System Configuration
--------------------

System Type: simplex

Last Pass
---------
New test.

Test Activity
-------------
Automated Run: Regression Testing

Brief Description
-----------------

Not able to source openrc file for a wad user after admin password change and reset back to original password.

Severity
--------

Major

Steps to Reproduce
------------------

Add remote AD details using service parameter on the system:

system certificate-install -m ssl_ca <ad.crt>

[sysadmin@controller-0 ~(keystone_admin)]$ ssh padmin_user1@ad.domain.com@controller-0
source openrc file

padmin_user1@ad.wad-1.cumulus.wrs.com@controller-0:~$ source /etc/platform/openrc
[padmin_user1@ad.wad-1.cumulus.wrs.com@controller-0 ~(keystone_admin)]$

Manually change admin passowrd:

[sysadmin@controller-0 ~(keystone_admin)]$ openstack  user password set --os-region-name RegionOne --password '<passwd_change1' --original-password '<passwd_orig>'
[sysadmin@controller-0 ~(keystone_admin)]$ keyring get CGCS admin
KVLcix0*

[sysadmin@controller-0 ~(keystone_admin)]$ source /etc/platform/openrc
[sysadmin@controller-0 ~(keystone_admin)]$ openstack  user password set --os-region-name RegionOne --password '<passwd_change2>' --original-password '<passwd_change1'
[sysadmin@controller-0 ~(keystone_admin)]$ keyring get CGCS admin
Li70nux*

[sysadmin@controller-0 ~(keystone_admin)]$ source /etc/platform/openrc
[sysadmin@controller-0 ~(keystone_admin)]$ openstack  user password set --os-region-name RegionOne --password '<passwd_change3' --original-password '<passwd_change2'
[sysadmin@controller-0 ~(keystone_admin)]$ keyring get CGCS admin
Li71nux*

Reset back to original password.

[sysadmin@controller-0 ~(keystone_admin)]$ source /etc/platform/openrc
[sysadmin@controller-0 ~(keystone_admin)]$ openstack  user password set --os-region-name RegionOne --password '<passwd_orig' --original-password '<passwd_change3'
[sysadmin@controller-0 ~(keystone_admin)]$ keyring get CGCS admin
Li69nux*

Expected Behavior
------------------

padmin_user1@ad.wad-1.cumulus.wrs.com@controller-0:~$ source /etc/platform/openrc
[padmin_user1@ad.wad-1.cumulus.wrs.com@controller-0 ~(keystone_admin)]$

Actual Behavior
----------------

padmin_user1@ad.wad-1.cumulus.wrs.com@controller-0:~$ source /etc/platform/openrc
Not enough privileges to read keyring password.
controller-0:~${code}

Reproducibility
---------------
Reproducible

System Configuration
--------------------

System Type: simplex

Last Pass
---------
New test.

Test Activity
-------------
Automated Run: Regression Testing