On to, 22 huhti 2021, Peter Tselios via FreeIPA-users wrote:
We use the FreeIPA servers as authentication source for Opestack
Keystone.
However, after the migration of our FreeIPA to CentOS 8 from CentOS 7, Openstack users
cannot login.
IPA Logs from the Openstack queries where I detected the different answer:
CentOS 7
op=4 SRCH base="cn=groups,cn=compat,dc=example,dc=com" scope=2
filter="(&(cn=dev_admins)(cn=dev_admins)(objectClass=posixGroup))"
attrs="cn description"
op=4 RESULT err=0 tag=101 nentries=1 etime=0.000771612
op=5 SRCH base="cn=dev_admins,cn=groups,cn=compat,dc=example,dc=com" scope=0
filter="(objectClass=posixGroup)" attrs="memberUid"
op=5 RESULT err=0 tag=101 nentries=1 etime=0.000322091
CentOS 8
op=4 SRCH base="cn=groups,cn=compat,dc=test,dc=example,dc=com" scope=2
filter="(&(cn=dev_admins)(cn=dev_admins)(objectClass=posixGroup))"
attrs="cn description"
op=4 RESULT err=0 tag=101 nentries=1 wtime=0.000169800 optime=0.000829186
etime=0.000997334
op=5 SRCH base="cn=dev_admins,cn=groups,cn=compat,dc=test,dc=example,dc=com"
scope=0 filter="(objectClass=posixGroup)" attrs="memberUid"
op=5 RESULT err=0 tag=101 nentries=0 wtime=0.000131140 optime=0.000667892
etime=0.000794799
Notice that in CentOS 8 we have nentries=0
To reproduce the problem there is no need for Keystone or Openstack as it’s reproducible
by a simple ldapsearch:
CentOS 7
$ LDAPBASE="dc=example,dc=com"
$ ldapsearch -v -H ldaps://localhost:636 -D
"uid=appusers,cn=sysaccounts,cn=etc,${LDAPBASE}" -W -s base -b
"cn=dev_admins,cn=groups,cn=compat,${LDAPBASE}"
"(objectClass=posixGroup)" memberUid
CentOS 8
$ LDAPBASE="dc=test,dc=example,dc=com"
$ ldapsearch -v -H ldaps://localhost:636 -D
"uid=appusers,cn=sysaccounts,cn=etc,${LDAPBASE}" -W -s base -b
"cn=dev_admins,cn=groups,cn=compat,${LDAPBASE}"
"(objectClass=posixGroup)" memberUid
If using the “-s sub” scope in CentOS 8, we can see the group object, which make me thing
that the “compat” branch is there and that it’s just a problem with the searching of the
object
Is there any possibility to fix this, or we should stick with CentOS 7?
There should be no difference in slapi-nis code with regards to this
type of search. In other words, the behavior should be the same for both
RHEL 7 and RHEL 8 deployment. It may be a difference on 389-ds level...
Why do you use compat tree?
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland