Login failures with Error 500 when LDAP password expiration or changed.

Problem

Configure on LDAP server in a non-anonymous mode, login failures with Error 500.

There are errors in the log of /var/log/keystone/keystone.log on the management node, for example, similar to the following:

ERROR keystone.server.flask.application ldap.INVALID_CREDENTIALS: {'msgtype': 97, 'msgid': 1, 'result': 49, 'desc': 'Invalid credentials', 'ctrls': [], 'info': 'Password is expired.\n'}

ERROR keystone.server.flask.application [req-98348bc1-b47f-417b-ab1b-04eccd19ea0f - - - - -] Unable to authenticate against Identity backend - Invalid username or password: keystone.exception.LDAPInvalidCredentialsError: Unable to authenticate against Identity backend - Invalid username or password

Explanation

The bound user's password for authenticating to the LDAP server has either expired or been changed.

Resolution

Steps:

  1. Encrypt the new password on the management node

    Run the command python -c "from powervc_oslo.config import data_utils;print(data_utils.encrypt_data('<new_password>'))" on the management node, and save the encrypt password.

    For example, aes-ctr:Nzk5MjE1MjI5NTk2OTYyMzkwOTq7qCmj is the encrypt new password of test.

    [root@rhel82-man-4 ~]# python -c "from powervc_oslo.config import data_utils;print(data_utils.encrypt_data('test'))"
     aes-ctr:Nzk5MjE1MjI5NTk2OTYyMzkwOTq7qCmj
  2. Update /etc/keystone/domains/keystone.Default.conf ldap section password with the encrypted password generated in step 1.

    • In standalone deployment:

    # openstack-config --set /etc/keystone/domains/keystone.Default.conf ldap password <new encrypt password generated in step 1>
    • In multi-node cluster deployment:

    # icic-opsmgr config openstackconfig -c <clustername> -op set -file /etc/keystone/domains/keystone.Default.conf -section ldap -property password -value <new encrypt password generated in step 1>
  3. Restart keystone services

    On the management nodes, restart the keystone services by issuing the following command:

    # icic-services keystone restart