Cluster administrator cannot log in to the management console

After you set up an LDAP connection, you cannot log in to your IBM® Cloud Private cluster management console by using the default cluster administrator username and password.

Causes

The LDAP parameters that you specified while configuring the LDAP connection might not be correct.

Resolving the problem

Remove the current LDAP configuration.

The LDAP configuration is stored in the /config/configDropins/defaults/ldap-<LDAP_connection_name>.xml and federated.xml files in the platform-auth container. To remove the incorrect LDAP configuration, you must delete the files or move them to another location. You can then log in to the console and set up the LDAP connection again with the correct parameters.

To remove the current LDAP configuration, run the following commands with root access on your master node:

1. Get the platform-auth container ID:

   docker ps | grep platform-auth
   

   Example command and output:

     root@master:/opt/icp/cluster# docker ps | grep platform-auth
     d588a5b951b4        ibmcom/icp-platform-auth                    "/usr/bin/superv            is..."   5 days ago          Up 5 days                               k8s_platfor            m-auth-service_auth-idp-ln0s6_kube-system_d5f4fe3c-c60e-11e7-8ea2-005056a85e40_0
   

2. Access the shell inside the container:

   docker exec -it <container ID> /bin/bash
   

   Example command and output:

     root@master:/opt/icp/cluster# docker exec -it d588a5b951b4 /bin/bash
     bash-4.3#
   

3. Make a note of the LDAP settings file name that is located in the /config/configDropins/defaults/ directory. For example, the file name is ldap-openLDAP.xml if your LDAP connection name is openLDAP.

4. Move the LDAP settings file out of the /config/configDropins/defaults/ directory. For example, you could move the file to the /config/configDropins/ directory:

   mv /config/configDropins/defaults/ldap-<LDAP_connection_name>.xml /config/configDropins/
   mv /config/configDropins/defaults/federated.xml /config/configDropins/
   

   Note: Instead of moving the files, you can delete the LDAP settings and federated.xml files from the /config/configDropins/defaults/ directory. However, moving the files ensure that you have a backup of the configuration files, which can be used for troubleshooting. You can also correct the settings in the files and reuse it to set up the LDAP connection. If you are reusing the files, you must move the corrected files back into the /config/configDropins/defaults/ directory.

5. Wait for a minute and log in as a cluster administrator.

6. Set up your LDAP connection with proper configuration parameters. For more information about setting up an LDAP connection, see Configuring LDAP connection.