Login too slow or times out, or invalid username or password error

After you set up an LDAP connection, you cannot log in to IBM Cloud Pak® for AIOps cluster console.

Symptoms

There are two symptoms for the same cause.

  • When you try to log in, the login process might take a long time, or might time out.

  • You might see the following error:

    Invalid user name or password

Cause

The login failure is due to an LDAP error when Liberty looks up groups for the user. By default, Liberty searches which groups the user is a member of. It then searches which groups these groups are a member of. The message log shows the following error:

An FFDC Incident has been created: "com.ibm.wsspi.security.wim.exception.WIMSystemException: CWIML4520E: The LDAP operation could not be completed. The LDAP naming exception
javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-03152973, problem 2001 (NO_OBJECT), data 0, best match of:
"

Resolving the problem

To resolve the issue, disable the recursiveSearch parameter in the LDAP server.xml file.

  1. Log in to your boot node with the oc login command.

  2. Edit the platform-auth-idp configmap.

    oc edit cm platform-auth-idp -n <your-foundational-services-namespace>

  3. Change the LDAP_RECURSIVE_SEARCH: "true" parameter value to LDAP_RECURSIVE_SEARCH: "false".

  4. Save the changes.

  5. Restart the platform-auth-service pods by deleting the pods.

    1. Get the platform-auth-service pod names.
      oc get pods -n <your-foundational-services-namespace> | grep platform-auth-service
    2. Delete the platform-auth-service pod.
      oc delete pods <pod-name> -n <your-foundational-services-namespace>