Troubleshooting OpenShift LDAP Authentication
This post covers a few quick steps for troubleshooting OpenShift master configuration issues. Prompted while attempting to troubleshoot some LDAP issues, these steps may help in other master configuration issues as well.
Step 1 - Reduce scope of troubleshooting
Most OpenShift clusters leverage multiple masters behind a load balancer or using round robin DNS. To simplify troubleshooting, narrow the scope of systems to monitor by editing your local machine to resolve the cluster master hostname to a single master node. This can also be performed at the load balancer level if you have/can modify the configuration.
Step 2 - Increase the logging level
Now that the troubleshooting scope has been reduced to one node:
- Edit /etc/sysconfig/atomic-openshift-master-api
- Change the log level to 4
OPTIONS=–loglevel=4
- Restart the master api service
# systemctl restart atomic-openshift-master-api
Step 3 - Monitor /var/log/message
Log into the target master node and start monitoring the log file, in this case watching for LDAP issues:
# tail -f /var/log/messages | grep ldap
Step 4 - Attempt to log in
Through the CLI or WebUI, attempt to log in and watch the log files for relevant errors to continue debugging.
Aug 10 17:01:53 ocp-master1 atomic-openshift-master-api: I0810 17:01:53.802225 84755 ldap.go:129] searching for (&(memberOf=OCPTenant,OU=ARCTIQ Servers,OU=ARCTIQ,DC=ARCTIQdev,DC=dev,DC=arctiq,DC=ca)(sAMAccountName=shea.stewart))
Aug 10 17:01:53 ocp-master1 atomic-openshift-master-api: I0810 17:01:53.803422 84755 ldap.go:137] no entries matching (&(memberOf=OCPTenant,OU=ARCTIQ Servers,OU=ARCTIQ,DC=ARCTIQdev,DC=dev,DC=arctiq,DC=ca)(sAMAccountName=shea.stewart))
Aug 10 17:01:53 ocp-master1 atomic-openshift-master-api: I0810 17:01:53.803444 84755 login.go:174] Login with provider "ARCTIQDEV (AD)" failed for "shea.stewart"...
Step 5 - Reduce the logging level when finishes
Repeat step 2 and change the logging level back to 2.