Troubleshooting OpenShift LDAP Authentication

This post covers a few quick steps for troubleshooting OpenShift master configuration issues. Prompted while attempting to troubleshoot some LDAP issues, these steps may help in other master configuration issues as well.

Step 1 - Reduce scope of troubleshooting

Most OpenShift clusters leverage multiple masters behind a load balancer or using round robin DNS. To simplify troubleshooting, narrow the scope of systems to monitor by editing your local machine to resolve the cluster master hostname to a single master node. This can also be performed at the load balancer level if you have/can modify the configuration.

Step 2 - Increase the logging level

Now that the troubleshooting scope has been reduced to one node:

• Edit /etc/sysconfig/atomic-openshift-master-api
• Change the log level to 4

  OPTIONS=–loglevel=4
  

• Restart the master api service

  # systemctl restart atomic-openshift-master-api
  

Step 3 - Monitor /var/log/message

Log into the target master node and start monitoring the log file, in this case watching for LDAP issues:

# tail -f /var/log/messages | grep ldap

Step 4 - Attempt to log in

Through the CLI or WebUI, attempt to log in and watch the log files for relevant errors to continue debugging.

Aug 10 17:01:53 ocp-master1 atomic-openshift-master-api: I0810 17:01:53.802225 84755 ldap.go:129] searching for (&(memberOf=OCPTenant,OU=ARCTIQ Servers,OU=ARCTIQ,DC=ARCTIQdev,DC=dev,DC=arctiq,DC=ca)(sAMAccountName=shea.stewart))
Aug 10 17:01:53 ocp-master1 atomic-openshift-master-api: I0810 17:01:53.803422 84755 ldap.go:137] no entries matching (&(memberOf=OCPTenant,OU=ARCTIQ Servers,OU=ARCTIQ,DC=ARCTIQdev,DC=dev,DC=arctiq,DC=ca)(sAMAccountName=shea.stewart))
Aug 10 17:01:53 ocp-master1 atomic-openshift-master-api: I0810 17:01:53.803444 84755 login.go:174] Login with provider "ARCTIQDEV (AD)" failed for "shea.stewart"...

Step 5 - Reduce the logging level when finishes

Repeat step 2 and change the logging level back to 2.