IBM Support

While creating a common services team, openshift group and users are not created if LDAP no longer has users already in the group

Troubleshooting


Problem

 An OpenShift user is created when you add an LDAP user to the team or when this LDAP user logs in to the IBM Cloud Pak console. When a user is removed LDAP server side, the LDAP group in the team does not get updated. 
Red Hat OpenShift new groups and users are not getting created, and users cannot log in to the cloud Pak console. 
Red Hat OpenShift group does not update by any process or thread in IAM. An OpenShift user or group is deleted only if this user or group is deleted from teams.
To resolve this issue, delete and re-add the LDAP group to teams to re-create the Red Hat OpenShift group with the latest members and manually delete the Red Hat OpenShift user. To delete the user, use the command oc delete user <user_id>.

Symptom

  • Recreation steps Example:
    - User tries to create a Common Services team and add an LDAP group to the team
         LDAP group:  cluster-admin-group
         Common services team name: my-cluster-admin-team
         
    - LDAP group has users, but some of the users do not exist on the LDAP server side.
    - Common Services team is created, but the corresponding  OpenShift group and users are not created in OCP 
    - Users cannot log in to the Cloud Pak 
    - CS team is created, but when LDAP User group name is selected, the corresponding users are not loaded. 
  •  The following be logged  in the auth-idp pods 
{"name":"platform-identity-mgmt","hostname":"auth-idp-7b4646b8b5-r8dn5","pid":1,"level":50,"msg":"User-Mgmt:: Error: Bad request, LDAP group could not be found based on search criteria. Please refine your search and try again","time":"2023-04-19T10:39:08.705Z","v":0}
{"name":"platform-identity-mgmt","hostname":"auth-idp-7b4646b8b5-r8dn5","pid":1,"level":30,"msg":"User-Mgmt:: Exiting /fetchLdapUserDetailsWithNewClient with error","time":"2023-04-19T10:39:08.705Z","v":0}
{"name":"platform-identity-mgmt","hostname":"auth-idp-7b4646b8b5-r8dn5","pid":1,"level":50,"msg":"catch: error: OperationalError: Bad request, LDAP group could not be found based on search criteria. Please refine your search and try again\n    at Object.errorHandler (/opt/ibm/identity-mgmt/util/identity-util.js:61:17)\n    ... 13 lines matching cause stack trace ...\n    at TCP.onStreamRead (node:internal/stream_base_commons:190:23) {\n  cause: Error: Bad request, LDAP group could not be found based on search criteria. Please refine your search and try again\n      at Object.errorHandler (/opt/ibm/identity-mgmt/util/identity-util.js:61:17)\n      at CorkedEmitter.<anonymous> (/opt/ibm/identity-mgmt/util/usergroup-util.js:345:56)\n      at CorkedEmitter.emit (node:events:513:28)\n      at CorkedEmitter.emit (/opt/ibm/identity-mgmt/node_modules/ldapjs/lib/corked_emitter.js:44:33)\n      at sendResult (/opt/ibm/identity-mgmt/node_modules/ldapjs/lib/client/client.js:1194:22)\n      at messageCallback (/opt/ibm/identity-mgmt/node_modules/ldapjs/lib/client/client.js:1220:18)\n      at Parser.onMessage (/opt/ibm/identity-mgmt/node_modules/ldapjs/lib/client/client.js:888:14)\n      at Parser.emit (node:events:513:28)\n      at Parser.write (/opt/ibm/identity-mgmt/node_modules/ldapjs/lib/messages/parser.js:107:8)\n      at Socket.onData (/opt/ibm/identity-mgmt/node_modules/ldapjs/lib/client/client.js:875:22)\n      at Socket.emit (node:events:513:28)\n      at addChunk (node:internal/streams/readable:324:12)\n      at readableAddChunk (node:internal/streams/readable:297:9)\n      at Readable.push (node:internal/streams/readable:234:10)\n      at TCP.onStreamRead (node:internal/stream_base_commons:190:23) {\n    status: 400\n  },\n  isOperational: true,\n  status: 400\n}","time":"2023-04-19T10:39:08.706Z","v":0}
{"name":"platform-identity-mgmt","hostname":"auth-idp-7b4646b8b5-r8dn5","pid":1,"level":50,"msg":"usergroup:: Error: Bad request, LDAP group could not be found based on search criteria. Please refine your search and try again","time":"2023-04-19T10:39:08.706Z","v":0}
{"name":"platform-identity-mgmt","hostname":"auth-idp-7b4646b8b5-r8dn5","pid":1,"level":30,"msg":"usergroup:: Exiting /getUsers with error","time":"2023-04-19T10:39:08.706Z","v":0}
Unhandled error for request GET /usergroup/cip-cluster-admin-deve/getUsers: Error: Bad request, LDAP group could not be found based on search criteria. Please refine your search and try again
    at Object.errorHandler (/opt/ibm/identity-mgmt/util/identity-util.js:61:17)
    at /opt/ibm/identity-mgmt/common/models/user-group.js:241:48
    at /opt/ibm/identity-mgmt/util/usergroup-util.js:456:32
    at tryCatcher (/opt/ibm/identity-mgmt/node_modules/bluebird/js/release/util.js:16:23)
    at Promise._settlePromiseFromHandler (/opt/ibm/identity-mgmt/node_modules/bluebird/js/release/promise.js:547:31)
    at Promise._settlePromise (/opt/ibm/identity-mgmt/node_modules/bluebird/js/release/promise.js:604:18)
    at Promise._settlePromise0 (/opt/ibm/identity-mgmt/node_modules/bluebird/js/release/promise.js:649:10)
    at Promise._settlePromises (/opt/ibm/identity-mgmt/node_modules/bluebird/js/release/promise.js:725:18)
    at _drainQueueStep (/opt/ibm/identity-mgmt/node_modules/bluebird/js/release/async.js:93:12)
    at _drainQueue (/opt/ibm/identity-mgmt/node_modules/bluebird/js/release/async.js:86:9)
    at Async._drainQueues (/opt/ibm/identity-mgmt/node_modules/bluebird/js/release/async.js:102:5)
    at Async.drainQueues (/opt/ibm/identity-mgmt/node_modules/bluebird/js/release/async.js:15:14)
    at process.processImmediate (node:internal/timers:476:21)

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSRV9V","label":"IBM Cloud Pak foundational services"},"ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SS8QTD","label":"IBM Cloud Pak for Integration"},"ARM Category":[{"code":"a8m0z0000001hogAAA","label":"Common Services"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB76","label":"Data Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SS2JQC","label":"IBM Cloud Pak for Automation"},"ARM Category":[{"code":"a8m50000000L1THAA0","label":"Business Console-\u003EConfiguration from UI-\u003EUser and group"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Log InLog in to view more of this document

This document has the abstract of a technical article that is available to authorized users once you have logged on. Please use Log in button above to access the full document. After log in, if you do not have the right authorization for this document, there will be instructions on what to do next.

Document Information

Modified date:
30 May 2023

UID

ibm16989183

Page Feedback