IBM Support

While creating a common services team, openshift group and users are not created if LDAP no longer has users already in the group

Troubleshooting


Problem

 An OpenShift user is created when you add an LDAP user to the team or when this LDAP user logs in to the IBM Cloud Pak console. When a user is removed LDAP server side, the LDAP group in the team does not get updated. 
Red Hat OpenShift new groups and users are not getting created, and users cannot log in to the cloud Pak console. 
Red Hat OpenShift group does not update by any process or thread in IAM. An OpenShift user or group is deleted only if this user or group is deleted from teams.
To resolve this issue, delete and re-add the LDAP group to teams to re-create the Red Hat OpenShift group with the latest members and manually delete the Red Hat OpenShift user. To delete the user, use the command oc delete user <user_id>.

Symptom

  • Recreation steps Example:
    - User tries to create a Common Services team and add an LDAP group to the team
         LDAP group:  cluster-admin-group
         Common services team name: my-cluster-admin-team
         
    - LDAP group has users, but some of the users do not exist on the LDAP server side.
    - Common Services team is created, but the corresponding  OpenShift group and users are not created in OCP 
    - Users cannot log in to the Cloud Pak 
    - CS team is created, but when LDAP User group name is selected, the corresponding users are not loaded. 
  •  The following be logged  in the auth-idp pods 
{"name":"platform-identity-mgmt","hostname":"auth-idp-7b4646b8b5-r8dn5","pid":1,"level":50,"msg":"User-Mgmt:: Error: Bad request, LDAP group could not be found based on search criteria. Please refine your search and try again","time":"2023-04-19T10:39:08.705Z","v":0}
{"name":"platform-identity-mgmt","hostname":"auth-idp-7b4646b8b5-r8dn5","pid":1,"level":30,"msg":"User-Mgmt:: Exiting /fetchLdapUserDetailsWithNewClient with error","time":"2023-04-19T10:39:08.705Z","v":0}
{"name":"platform-identity-mgmt","hostname":"auth-idp-7b4646b8b5-r8dn5","pid":1,"level":50,"msg":"catch: error: OperationalError: Bad request, LDAP group could not be found based on search criteria. Please refine your search and try again\n    at Object.errorHandler (/opt/ibm/identity-mgmt/util/identity-util.js:61:17)\n    ... 13 lines matching cause stack trace ...\n    at TCP.onStreamRead (node:internal/stream_base_commons:190:23) {\n  cause: Error: Bad request, LDAP group could not be found based on search criteria. Please refine your search and try again\n      at Object.errorHandler (/opt/ibm/identity-mgmt/util/identity-util.js:61:17)\n      at CorkedEmitter.<anonymous> (/opt/ibm/identity-mgmt/util/usergroup-util.js:345:56)\n      at CorkedEmitter.emit (node:events:513:28)\n      at CorkedEmitter.emit (/opt/ibm/identity-mgmt/node_modules/ldapjs/lib/corked_emitter.js:44:33)\n      at sendResult (/opt/ibm/identity-mgmt/node_modules/ldapjs/lib/client/client.js:1194:22)\n      at messageCallback (/opt/ibm/identity-mgmt/node_modules/ldapjs/lib/client/client.js:1220:18)\n      at Parser.onMessage (/opt/ibm/identity-mgmt/node_modules/ldapjs/lib/client/client.js:888:14)\n      at Parser.emit (node:events:513:28)\n      at Parser.write (/opt/ibm/identity-mgmt/node_modules/ldapjs/lib/messages/parser.js:107:8)\n      at Socket.onData (/opt/ibm/identity-mgmt/node_modules/ldapjs/lib/client/client.js:875:22)\n      at Socket.emit (node:events:513:28)\n      at addChunk (node:internal/streams/readable:324:12)\n      at readableAddChunk (node:internal/streams/readable:297:9)\n      at Readable.push (node:internal/streams/readable:234:10)\n      at TCP.onStreamRead (node:internal/stream_base_commons:190:23) {\n    status: 400\n  },\n  isOperational: true,\n  status: 400\n}","time":"2023-04-19T10:39:08.706Z","v":0}
{"name":"platform-identity-mgmt","hostname":"auth-idp-7b4646b8b5-r8dn5","pid":1,"level":50,"msg":"usergroup:: Error: Bad request, LDAP group could not be found based on search criteria. Please refine your search and try again","time":"2023-04-19T10:39:08.706Z","v":0}
{"name":"platform-identity-mgmt","hostname":"auth-idp-7b4646b8b5-r8dn5","pid":1,"level":30,"msg":"usergroup:: Exiting /getUsers with error","time":"2023-04-19T10:39:08.706Z","v":0}
Unhandled error for request GET /usergroup/cip-cluster-admin-deve/getUsers: Error: Bad request, LDAP group could not be found based on search criteria. Please refine your search and try again
    at Object.errorHandler (/opt/ibm/identity-mgmt/util/identity-util.js:61:17)
    at /opt/ibm/identity-mgmt/common/models/user-group.js:241:48
    at /opt/ibm/identity-mgmt/util/usergroup-util.js:456:32
    at tryCatcher (/opt/ibm/identity-mgmt/node_modules/bluebird/js/release/util.js:16:23)
    at Promise._settlePromiseFromHandler (/opt/ibm/identity-mgmt/node_modules/bluebird/js/release/promise.js:547:31)
    at Promise._settlePromise (/opt/ibm/identity-mgmt/node_modules/bluebird/js/release/promise.js:604:18)
    at Promise._settlePromise0 (/opt/ibm/identity-mgmt/node_modules/bluebird/js/release/promise.js:649:10)
    at Promise._settlePromises (/opt/ibm/identity-mgmt/node_modules/bluebird/js/release/promise.js:725:18)
    at _drainQueueStep (/opt/ibm/identity-mgmt/node_modules/bluebird/js/release/async.js:93:12)
    at _drainQueue (/opt/ibm/identity-mgmt/node_modules/bluebird/js/release/async.js:86:9)
    at Async._drainQueues (/opt/ibm/identity-mgmt/node_modules/bluebird/js/release/async.js:102:5)
    at Async.drainQueues (/opt/ibm/identity-mgmt/node_modules/bluebird/js/release/async.js:15:14)
    at process.processImmediate (node:internal/timers:476:21)

Cause

Bug reported 58525 

Environment

The problem was reported for common services 3.19.10

Diagnosing The Problem

If you are unable to log in to the cloud pak console after adding the LDAP groups to team, review the auth-idp pod logs for the stack trace in the symptom section.

Resolving The Problem

- Delete the non-existing users from the LDAP group
- Delete and recreate the team in common services 
- Add the LDAP group again
This fix will be included in the future common services fixpak. 

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSRV9V","label":"IBM Cloud Pak foundational services"},"ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS8QTD","label":"IBM Cloud Pak for Integration"},"ARM Category":[{"code":"a8m0z0000001hogAAA","label":"Common Services"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS2JQC","label":"IBM Cloud Pak for Automation"},"ARM Category":[{"code":"a8m50000000L1THAA0","label":"Business Console-\u003EConfiguration from UI-\u003EUser and group"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Product Synonym

cloudpak

Document Information

Modified date:
30 May 2023

UID

ibm16989183

Page Feedback