VIO LDAP users can no longer login after upgrade
search cancel

VIO LDAP users can no longer login after upgrade

book

Article ID: 321857

calendar_today

Updated On:

Products

VMware VMware Integrated OpenStack

Issue/Introduction

Symptoms:
  • Upgrade from VIO 5.1 to VIO 6.x.
  • Upgrade from VIO 5.1 to VIO 7.x
  • LDAP users no longer able to login


Environment

VMware Integrated OpenStack 5.x
VMware Integrated Openstack 7.x
VMware Integrated OpenStack 6.x

Cause

The keystone community code prior to VMware Integrated Openstack 6.x, used the same short user id in nonlocal_user table and assignment table. But when upgrade to VIO 6.x, community code used a long random user id, so the upgraded data with short user_id in assignment table don’t work, user need to be reassigned the role.

Resolution

This is a known issue affecting VIO 6.x.
This is a known issue affecting VIO 7.x.

Workaround:
Note: This procedure modifies the database. Ensure to take a backup of the database before proceeding.
  1. Clean nonlocal_user table after uupgrade.
    1. Access the database container:
osctl exec -it mariadb-server-0 bash
  1. Access mysql:
mysql --defaults-file=/etc/mysql/admin_user.cnf --host=localhost --connect-timeout 2
  1. Delete entries from nonlocal_users table:
use keystone;
delete from nonlocal_users;
 
  1. Login horizon with admin user in local domain. 
  2. Set default domain as domain context
Identity > Domains > Select Domain > Set Domain Context
  1. Add users to the domain with expected role
Manage Members Click Edit member of domain
  1. Add users to the project with expected role.
Identity > Projects > Manage MembersAdd users to the project with expected role


Additional Information

Impact/Risks:
Note: This procedure modifies the database. Ensure to take a backup of the database before proceeding.

Powered by Wolken Software