OpenLDAP password policy error after migration

NethServer / dev

NethServer issue tracker

https://github.com/NethServer/dev/issues

63 stars 20 forks source link

OpenLDAP password policy error after migration #6786

Closed DavidePrincipi closed 9 months ago

DavidePrincipi commented 9 months ago

The LDAP domain settings fails to display the domain password policy after migration from NS7.

Steps to reproduce

Migrate from NS7
Go to Domains and Users > directory.nh configuration

Expected behavior

The page loads completely. Some password policy is displayed

Actual behavior

The password policy tile does not load and an error occurs

Error message

Traceback (most recent call last):
  File "/home/openldap1/.config/actions/get-password-policy/50get_password_policy", line 16, in <module>
    ldapsearch_proc = subprocess.run(["podman", "exec", "openldap",
                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/python3.11/subprocess.py", line 571, in run
    raise CalledProcessError(retcode, process.args,
subprocess.CalledProcessError: Command '['podman', 'exec', 'openldap', 'ldapsearch', '-LLL', '-b', 'cn=default,ou=PPolicy,dc=directory,dc=nh', '-s', 'base']' returned non-zero exit status 32.

Components

nethserver-ns8-migration 1.0.5
ns8-core 2.2.2

DavidePrincipi commented 9 months ago

OpenLDAP testing release https://github.com/NethServer/ns8-openldap/releases/tag/2.1.0-dev.1

DavidePrincipi commented 9 months ago

@nrauso to test version dev.1 apply the override procedure described here: https://nethserver.github.io/ns8-core/quickstart/#module-override

nrauso commented 9 months ago

Account provider was successfully migrated and password policy UI works but the policies enabled on NS7 were not migrated to NS8 (there were no policy applied): is it the expected behavior?

In addition, I had an error during the final migration step:

Dec 11 12:37:28 myrocky.nethe.eu agent@cluster[6914]: task/cluster/f059c21b-ccf3-440f-9a11-0d1a3e4e89f4: remove-external-domain/50remove_domain 
is starting
...
Dec 11 12:37:28 myrocky.nethe.eu agent@cluster[6914]: task/cluster/f059c21b-ccf3-440f-9a11-0d1a3e4e89f4: action "remove-external-domain" status 
is "validation-failed" (2) at step 50remove_domain

I was not able to find more detailed information. @DavidePrincipi, do you need to delve into the scenario?

DavidePrincipi commented 9 months ago

Thank you for your observations!

The password policy of NS7 based on SSSD+PAM is not migrated because it is not fully compatible with NS8.
I guess the validation error is generated by probing the domain existence: it is harmless.

I think both points deserve more explanations in the Migration manuals.

nrauso commented 9 months ago

Ok, so I can set the QA as verified

DavidePrincipi commented 9 months ago

Added migration docs PR https://github.com/NethServer/ns8-docs/pull/49

DavidePrincipi commented 9 months ago

Released as https://github.com/NethServer/ns8-openldap/releases/tag/2.1.0