Default admin cannot log in due to LDAP server issues
The default admin user can no longer log in to your product cluster console.
You might see the following error in the platform-auth-service
container of the platform-auth-service
pod.
[ERROR ] CWIML4537E: The login operation could not be completed. The specified principal name admin is not found in the back-end repository.
com.ibm.wsspi.security.wim.exception.PasswordCheckFailedException: CWIML4537E: The login operation could not be completed. The specified principal name admin is not found in the back-end repository.
at com.ibm.ws.security.wim.ProfileManager.loginImpl(ProfileManager.java:1820)
at [internal classes]
Causes
This issue can occur because of the following reasons:
- The LDAP parameters that you specified when you configured the LDAP connection might not be correct.
- LDAP server is inaccessible for some reason.
- LDAP configuration file is corrupted.
- A user who is named
admin
might exist in the LDAP directory. For this case, try this resolution, Cannot log in to the management console by using the admin username.
Resolving the problem
As a temporary measure, you can remove the LDAP configuration file that is in the platform-auth-service
container of the platform-auth-service
pod so that the default admin user can log in to the cluster.
The LDAP configuration is stored in the /config/configDropins/defaults/ldap-<LDAP_connection_name>.xml
and federated.xml
files in the platform-auth-service
container. To remove the incorrect LDAP configuration,
you must delete the files or move them to another location. You can then log in to the console and set up the LDAP connection again with the correct parameters.
Removing the LDAP configuration file in the platform-auth-service
container has no impact on the LDAP connection configuration. The users, groups, roles, and other resources are retained.
Complete the following steps to remove the LDAP configuration files.
-
SSH to your boot node and log in to cluster with
oc login
command. -
Get the
platform-auth-service
pod names.oc -n <your-foundational-services-namespace> get pods | grep platform-auth-service
-
Access the shell inside the
platform-auth-service
container.oc -n <your-foundational-services-namespace> exec -it platform-auth--service-xxxxxx-yyyy -c platform-auth-service -- /bin/bash
-
Make a note of the LDAP settings file name that is located in the
/config/configDropins/defaults/
directory. For example, the file name isldap-openLDAP.xml
if your LDAP connection name isopenLDAP
. -
Move the LDAP settings file
ldap-<LDAP_connection_name>.xml
and thefederated.xml
files out of the/config/configDropins/defaults/
directory. For example, you can move the files to the/config/configDropins/
directory.mv /config/configDropins/defaults/ldap-<LDAP_connection_name>.xml /config/configDropins/ mv /config/configDropins/defaults/federated.xml /config/configDropins/
Note: Instead of moving the files, you can delete the LDAP settings file, and
federated.xml
files from the/config/configDropins/defaults/
directory. However, when you move the files, ensure that you have a backup of the configuration files, which can be used for troubleshooting.
You can also correct the settings in the files and reuse it to set up the LDAP connection. If you are reusing the files, you must move the corrected files back into the/config/configDropins/defaults/
directory.Exit from the container.
-
Perform steps 3 - 5 for all
platform-auth-service
pods. -
Wait for a minute and then try log in as the default admin user.
-
Set up your LDAP connection with proper configuration parameters. For more information about setting up an LDAP connection, see Configuring LDAP connection.
Note: You must identify the root cause of the issue and take the necessary actions to resolve it. After you resolve the issue, you can restart the
platform-auth-service
pod and then log in to the console as the admin user.You can also enable debugging for Liberty and collect logs. For more information, see Enable debugging for user authentication issues.