Default admin cannot log in due to LDAP server issues

The default admin user can no longer log in to your product cluster console.

You might see the following error in the platform-auth-service container of the platform-auth-service pod.

[ERROR   ] CWIML4537E: The login operation could not be completed. The specified principal name admin is not found in the back-end repository.
                                                                                                               com.ibm.wsspi.security.wim.exception.PasswordCheckFailedException: CWIML4537E: The login operation could not be completed. The specified principal name admin is not found in the back-end repository.
    at com.ibm.ws.security.wim.ProfileManager.loginImpl(ProfileManager.java:1820)
    at [internal classes]

Causes

This issue can occur because of the following reasons:

Resolving the problem

As a temporary measure, you can remove the LDAP configuration file that is in the platform-auth-service container of the platform-auth-service pod so that the default admin user can log in to the cluster.

The LDAP configuration is stored in the /config/configDropins/defaults/ldap-<LDAP_connection_name>.xml and federated.xml files in the platform-auth-service container. To remove the incorrect LDAP configuration, you must delete the files or move them to another location. You can then log in to the console and set up the LDAP connection again with the correct parameters.

Removing the LDAP configuration file in the platform-auth-service container has no impact on the LDAP connection configuration. The users, groups, roles, and other resources are retained.

Complete the following steps to remove the LDAP configuration files.

  1. SSH to your boot node and log in to cluster with oc login command.

  2. Get the platform-auth-service pod names.

    oc -n <your-foundational-services-namespace> get pods | grep platform-auth-service
    
  3. Access the shell inside the platform-auth-service container.

    oc -n <your-foundational-services-namespace> exec -it platform-auth--service-xxxxxx-yyyy -c platform-auth-service -- /bin/bash
    
  4. Make a note of the LDAP settings file name that is located in the /config/configDropins/defaults/ directory. For example, the file name is ldap-openLDAP.xml if your LDAP connection name is openLDAP.

  5. Move the LDAP settings file ldap-<LDAP_connection_name>.xml and the federated.xml files out of the /config/configDropins/defaults/ directory. For example, you can move the files to the /config/configDropins/ directory.

    mv /config/configDropins/defaults/ldap-<LDAP_connection_name>.xml /config/configDropins/
    mv /config/configDropins/defaults/federated.xml /config/configDropins/
    

    Note: Instead of moving the files, you can delete the LDAP settings file, and federated.xml files from the /config/configDropins/defaults/ directory. However, when you move the files, ensure that you have a backup of the configuration files, which can be used for troubleshooting.
    You can also correct the settings in the files and reuse it to set up the LDAP connection. If you are reusing the files, you must move the corrected files back into the /config/configDropins/defaults/ directory.

    Exit from the container.

  6. Perform steps 3 - 5 for all platform-auth-service pods.

  7. Wait for a minute and then try log in as the default admin user.

  8. Set up your LDAP connection with proper configuration parameters. For more information about setting up an LDAP connection, see Configuring LDAP connection.

    Note: You must identify the root cause of the issue and take the necessary actions to resolve it. After you resolve the issue, you can restart the platform-auth-service pod and then log in to the console as the admin user.

    You can also enable debugging for Liberty and collect logs. For more information, see Enable debugging for user authentication issues.