| ozzzo_work | good morning | 12:43 |
|---|---|---|
| ozzzo_work | I'm trying to fix a keystone failure: Number of User/Group entities returned by LDAP exceeded size limit. Contact your LDAP administrator. | 12:44 |
| ozzzo_work | I googled around and then tried changing page_size from 0 to 2000 but that didn't make a difference. | 12:45 |
| ozzzo_work | Can anyone help? | 12:45 |
| dmendiza | Hi ozzzo_work. I think maybe @d34dh0r53 would be able to help with LDAP questions | 14:22 |
| zaitcev | o/ | 15:05 |
| *** hiromu_ is now known as hiromu | 15:05 | |
| d34dh0r53 | #startmeeting keystone | 15:06 |
| opendevmeet | Meeting started Tue May 16 15:06:46 2023 UTC and is due to finish in 60 minutes. The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot. | 15:06 |
| opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 15:06 |
| opendevmeet | The meeting name has been set to 'keystone' | 15:06 |
| d34dh0r53 | apologies, my previous meeting ran long | 15:06 |
| zaitcev | np | 15:07 |
| d34dh0r53 | #topic roll call | 15:07 |
| hiromu | o/ | 15:07 |
| d34dh0r53 | admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla[m], lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m] | 15:07 |
| d34dh0r53 | o/ | 15:07 |
| d34dh0r53 | #topic review past meeting work items | 15:09 |
| d34dh0r53 | https://meetings.opendev.org/meetings/keystone/2023/keystone.2023-05-09-15.07.html | 15:10 |
| d34dh0r53 | d34dh0r53 investigate https://bugs.launchpad.net/keystone/+bug/2009752 | 15:10 |
| d34dh0r53 | didn't get to it, will try this week | 15:10 |
| d34dh0r53 | #action d34dh0r53 investigate https://bugs.launchpad.net/keystone/+bug/2009752 | 15:10 |
| d34dh0r53 | d34dh0r53 Look into adding/restoring a known issues section to our documentation | 15:11 |
| d34dh0r53 | same, need to work on that and the next one this week | 15:11 |
| d34dh0r53 | #action d34dh0r53 Look into adding/restoring a known issues section to our documentation | 15:11 |
| d34dh0r53 | #action d34dh0r53 add https://bugs.launchpad.net/keystone/+bug/1305950 to the known issues section of our documentation | 15:11 |
| d34dh0r53 | finally we have d34dh0r53 review our open LDAP bugs https://bugs.launchpad.net/keystone/+bugs?field.tag=ldap | 15:11 |
| d34dh0r53 | I did do this and there are some bugs I think we can close, also some low hanging fruit | 15:12 |
| dmendiza | 🙋♂️ | 15:12 |
| d34dh0r53 | o/ dmendiza | 15:13 |
| d34dh0r53 | that does it for the past meeting work items | 15:13 |
| d34dh0r53 | next up | 15:13 |
| d34dh0r53 | #topic liaison updates | 15:13 |
| d34dh0r53 | nothing from VMT | 15:13 |
| d34dh0r53 | I've been reviewing the bobcat-1 patches, holding off on keystoneauth until a couple of patches merge which should be any minute now | 15:14 |
| d34dh0r53 | moving on | 15:15 |
| d34dh0r53 | #topic specification OAuth 2.0 (hiromu) | 15:16 |
| d34dh0r53 | #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext | 15:16 |
| d34dh0r53 | sorry, wrong link | 15:17 |
| d34dh0r53 | #undo | 15:17 |
| opendevmeet | Removing item from minutes: #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext | 15:17 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystone-specs/+/861554 | 15:17 |
| d34dh0r53 | That is for the external OAuth spec | 15:17 |
| d34dh0r53 | anything you need hiromu? | 15:17 |
| hiromu | I've updated specs to reply Julia's comment. I'll remind to Julia. | 15:18 |
| hiromu | just fyi | 15:18 |
| d34dh0r53 | ack, thanks | 15:18 |
| d34dh0r53 | next up, we have | 15:19 |
| d34dh0r53 | #topic specification Secure RBAC (dmendiza[m]) | 15:19 |
| d34dh0r53 | Service Role Implementation | 15:19 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystone/+/863420 | 15:19 |
| d34dh0r53 | Manager Role Implementation | 15:19 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystone/+/822601 | 15:19 |
| dmendiza | Still need to move those forward | 15:20 |
| dmendiza | I want to say gmann was going to update one of the specs | 15:20 |
| d34dh0r53 | ack | 15:21 |
| d34dh0r53 | next up | 15:22 |
| d34dh0r53 | #topic specification SQLAlchemy 2.0 (stephenfin) | 15:22 |
| d34dh0r53 | We're going to handle these in the reviewathon this week | 15:23 |
| d34dh0r53 | #topic open discussion | 15:24 |
| d34dh0r53 | (drencrom) We need to merge these backports to fix pep8 tests | 15:25 |
| drencrom | We talked about this last week. We concluded some of the patches were missing the patches to test_ec2_token_middleware.py | 15:25 |
| d34dh0r53 | looks like some of the backports need to integrate the ec2_token_middleware tests | 15:25 |
| d34dh0r53 | what drencrom said :) | 15:25 |
| d34dh0r53 | drencrom: do you have the bandwidth to update those patches? We can get them reviewed on Friday | 15:26 |
| drencrom | but the ones that do have that patch are ok IMHO, some of them need another +2 | 15:26 |
| d34dh0r53 | ack | 15:26 |
| d34dh0r53 | I'll bug the cores about those ones today | 15:27 |
| drencrom | https://review.opendev.org/c/openstack/keystonemiddleware/+/882401 is missing the patch but I don't think I can update it as I'm not the owner | 15:27 |
| d34dh0r53 | ahh, I am the owner, I can update that one | 15:27 |
| d34dh0r53 | is that the only one? | 15:27 |
| drencrom | I also had an issue with the Victoria one | 15:28 |
| drencrom | I got an error when I tried to merge test_ec2_token_middleware.py. Maybe I can try again. | 15:28 |
| d34dh0r53 | ok, and I'll update 2023.1 | 15:29 |
| d34dh0r53 | #action d34dh0r53 update https://review.opendev.org/c/openstack/keystonemiddleware/+/882401 to include test_ec2_token_middleware.py | 15:29 |
| drencrom | Thanks | 15:30 |
| d34dh0r53 | #action drencrom look at https://review.opendev.org/c/openstack/keystonemiddleware/+/878027 to see if we can add the test_ec2_token_middleware.py to it | 15:30 |
| d34dh0r53 | np, thank you! | 15:30 |
| d34dh0r53 | next up | 15:31 |
| d34dh0r53 | (mustafakemalgilor) PooledLdapHandler message.clean() patch backports | 15:31 |
| d34dh0r53 | we're still missing a couple of backports for this | 15:31 |
| d34dh0r53 | x, w, v, u still need another +2 +1 | 15:33 |
| d34dh0r53 | dmendiza: mind taking a look starting here? https://review.opendev.org/c/openstack/keystone/+/874843 | 15:33 |
| zaitcev | Did you see a lowe-constraints failure in https://review.opendev.org/c/openstack/keystonemiddleware/+/878028 | 15:34 |
| zaitcev | Maybe Ussuri is just too old for this | 15:34 |
| zaitcev | Train was EOLed, I think | 15:35 |
| dmendiza | d34dh0r53, ack | 15:35 |
| d34dh0r53 | zaitcev: I missed that | 15:35 |
| d34dh0r53 | maybe we stop at v? | 15:35 |
| d34dh0r53 | let's talk about it on Friday when he have better patches up for 2023.1 and V | 15:37 |
| d34dh0r53 | next up | 15:37 |
| d34dh0r53 | (reqa) OAuth 2.0 Device Authorization Grant bugfix | 15:37 |
| d34dh0r53 | I think everything has merged for this, do we need anything else? | 15:37 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystoneauth/+/876893 | 15:37 |
| d34dh0r53 | #link https://review.opendev.org/q/topic:reqa/v3oidcdeviceauth | 15:38 |
| d34dh0r53 | Ok, I think we're done with that, I'll get it off the agenda | 15:39 |
| d34dh0r53 | #topic bug review | 15:40 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0 | 15:40 |
| d34dh0r53 | nothing new for keystone, I need to look into that federation bug | 15:40 |
| d34dh0r53 | #action d34dh0r53 look at https://bugs.launchpad.net/keystone/+bug/2018644 | 15:40 |
| d34dh0r53 | #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0 | 15:41 |
| d34dh0r53 | nothing new for python-keystoneclient either | 15:41 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0 | 15:41 |
| d34dh0r53 | no new bugs there | 15:41 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0 | 15:42 |
| d34dh0r53 | clean | 15:42 |
| d34dh0r53 | #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0 | 15:42 |
| d34dh0r53 | no new bugs | 15:42 |
| d34dh0r53 | #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0 | 15:43 |
| d34dh0r53 | no new | 15:43 |
| d34dh0r53 | #topic conclusion | 15:43 |
| d34dh0r53 | not much for me, please come to the reviewathon Friday 19-May-2023 14:00 UTC | 15:44 |
| d34dh0r53 | #link meet.google.com/drx-yoqc-nzs | 15:44 |
| d34dh0r53 | thanks folks! | 15:44 |
| d34dh0r53 | #endmeeting | 15:44 |
| opendevmeet | Meeting ended Tue May 16 15:44:56 2023 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 15:44 |
| opendevmeet | Minutes: https://meetings.opendev.org/meetings/keystone/2023/keystone.2023-05-16-15.06.html | 15:44 |
| opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/keystone/2023/keystone.2023-05-16-15.06.txt | 15:44 |
| opendevmeet | Log: https://meetings.opendev.org/meetings/keystone/2023/keystone.2023-05-16-15.06.log.html | 15:44 |
| opendevreview | Merged openstack/keystoneauth master: Make v3oidcpassword send client_id https://review.opendev.org/c/openstack/keystoneauth/+/881969 | 16:23 |
| opendevreview | Merged openstack/keystoneauth master: Fix up some packaging metadata https://review.opendev.org/c/openstack/keystoneauth/+/877722 | 16:23 |
| ozzzo | d34dh0r53: do you have any ideas on how to fix my "LDAP exceeded size limit" issue? | 16:31 |
| ozzzo_work | d34dh0r53: When I search for that error I find this bug: https://bugs.launchpad.net/keystone/+bug/1896121 | 17:03 |
| ozzzo_work | and I see someone talking about fixing it by setting page_size to a non-zero value, so i tried that but it didn't make a difference | 17:04 |
| ozzzo_work | I followed the instructions here and added page_size under [ldap] in my keystone.conf | 17:05 |
| ozzzo_work | https://docs.openstack.org/keystone/latest/admin/configuration.html#identity-ldap-server-set-up | 17:05 |
| ozzzo_work | and I see it inside the container, in /etc/keystone/keystone.conf but I still get the error from "group list" | 17:06 |
| ozzzo_work | d34dh0r53: The error is "Number of User/Group entities returned by LDAP exceeded size limit. Contact your LDAP administrator." | 17:22 |
| zaitcev | Woa | 17:39 |
| zaitcev | Can anyone explain just how this is imported: https://opendev.org/openstack/keystone/src/branch/master/keystone/identity/backends/ldap/common.py#L1003 | 17:40 |
| zaitcev | There's no "import ldap" and yet ldap.SIZELIMIT_EXCEEDED (and a ton of similar names) are used with no problem. | 17:40 |
| zaitcev | ozzzo_work: Leaving the import problem aside, the code says that your page setting didn't take hold. | 17:43 |
| ozzzo_work | zaitcev: I see it in /etc/keystone/keystone.conf in the container. Is there a better way to check it? | 17:59 |
| ozzzo_work | I'm running kolla-ansible train | 17:59 |
| opendevreview | Merged openstack/keystone master: [PooledLDAPHandler] Clean up the fix for result3() https://review.opendev.org/c/openstack/keystone/+/878187 | 18:07 |
| opendevreview | Jorge Merlino proposed openstack/keystonemiddleware master: Add timeout for requests https://review.opendev.org/c/openstack/keystonemiddleware/+/883297 | 18:25 |
| opendevreview | Jorge Merlino proposed openstack/keystonemiddleware master: [DNM] Fix mocks in EC2 token tests https://review.opendev.org/c/openstack/keystonemiddleware/+/883299 | 19:03 |
| ozzzo_work | can anyone help with my "LDAP exceeded size limit" issue? | 21:16 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!