-
Bug
-
Resolution: Done
-
Minor
-
DO380 - OCP4.14-en-1-20240220
-
None
-
False
-
-
False
-
ROLE
-
-
-
en-US (English)
Please fill in the following information:
URL: | https://role.rhu.redhat.com/rol-rhu/app/courses/do380-4.14/pages/ch01s08 |
Reporter RHNID: | rhn-support-ablum |
Section Title: | Guided Exercise: Solve User Sync Conflicts |
Issue description
Learners who do not clean up the previous GE will face issues with the user sync conflict created in this GE. Also learners who log into the RH_SSO identity before the htpasswd_provider identity will also face the error "unexpected response: 500"
Steps to reproduce:
Either don't run the `lab finish auth-oidc` from the prior GE. In this case abbyquincy will still exist and from oidc provider.
or
Log in using the openId provider (add) first then the htpasswd_provider (claim):
[student@workstation ~]$ oc login -u abbyquincy -p redhat_sso
Login successful.
[student@workstation ~]$ oc login -u abbyquincy -p redhat_htpasswd https://api.ocp4.example.com:6443
Error from server (InternalError): Internal error occurred: unexpected response: 500
Workaround:
You must remove all the user and identity records and then re-login in the order with the "claim" IdM first, then the "add"
[student@workstation ~]$ oc delete identities.user.openshift.io RHSSO_OIDC:a175e1...
[student@workstation ~]$ oc delete user abbyquincy
user.user.openshift.io "abbyquincy" deleted
[student@workstation ~]$ *oc login -u abbyquincy -p redhat_htpasswd https://api.ocp4.example.com:6443*
Login successful.
[student@workstation ~]$ oc login -u abbyquincy -p redhat_sso
Login successful.
Expected result:
It's all working as written but it's very easy to mess this up and it will cause confusion. I would recommend adding a callout explaining:
`If the "add" IdP is used first OCP will add as an identity for that user. As a result any "claim" IdP that follows will receive a 500 error. If the order is reversed and the "claim" is used first, then no error will be encountered`