[keycloak-user] 3.2.0 wont start if an LDAP is misconfigured

Marek Posolda mposolda at redhat.com
Thu Aug 24 06:12:08 EDT 2017 

Looks like a bug. Feel free to create JIRA. The issue happens during 
preloading of offline sessions from database at server startup. We 
should probably just WARN when user is unavailable or avoid lookup user 
at all if possible.

As a workaround, you can delete the records in tables 
OFFLINE_USER_SESSION and OFFLINE_CLIENT_SESSION . But note that offline 
tokens of users will be lost.

Alternatively you can backup the tables and restore them later once you 
fix your LDAP connection. But you will need to restart Keycloak server 
after LDAP connection is fixed and tables are restored, because Keycloak 
preloads offline sessions from DB just at startup at this moment.

Another approach can be to fix LDAP connection directly in database. It 
should be somewhere in table COMPONENT_CONFIG .

Marek

On 23/08/17 23:08, Nathan Hoult wrote:
> I am trying to start KC but the LDAP account password changed so it won't
> start:
>
> 14:16:17,839 ERROR
> [org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager]
> (pool-6-thread-1) Could not query server using DN [not important] and
> filter [not important]: javax.naming.AuthenticationException: [LDAP: error
> code 49 - 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext
> error, data 52e, v1db1]
>      at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3154)
>      at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100)
>      at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2886)
>      at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2800)
>      at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
>      at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
>      at
> com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
>      at
> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
>      at
> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
>      at
> org.jboss.as.naming.InitialContext.getDefaultInitCtx(InitialContext.java:114)
>      at org.jboss.as.naming.InitialContext.init(InitialContext.java:99)
>      at
> javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
>      at org.jboss.as.naming.InitialContext.<init>(InitialContext.java:89)
>      at
> org.jboss.as.naming.InitialContextFactory.getInitialContext(InitialContextFactory.java:43)
>      at
> javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
>      at
> javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
>      at javax.naming.InitialContext.init(InitialContext.java:244)
>      at
> javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
>      at
> org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.createLdapContext(LDAPOperationManager.java:547)
>      at
> org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:636)
>      at
> org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:629)
>      at
> org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.search(LDAPOperationManager.java:226)
>      at
> org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.fetchQueryResults(LDAPIdentityStore.java:198)
>      at
> org.keycloak.storage.ldap.idm.query.internal.LDAPQuery.getResultList(LDAPQuery.java:164)
>      at
> org.keycloak.storage.ldap.idm.query.internal.LDAPQuery.getFirstResult(LDAPQuery.java:175)
>      at
> org.keycloak.storage.ldap.LDAPStorageProvider.loadLDAPUserByUsername(LDAPStorageProvider.java:725)
>      at
> org.keycloak.storage.ldap.LDAPStorageProvider.loadAndValidateUser(LDAPStorageProvider.java:429)
>      at
> org.keycloak.storage.ldap.LDAPStorageProvider.validate(LDAPStorageProvider.java:153)
>      at
> org.keycloak.storage.UserStorageManager.importValidation(UserStorageManager.java:245)
>      at
> org.keycloak.storage.UserStorageManager.getUserById(UserStorageManager.java:301)
>      at
> org.keycloak.models.jpa.session.JpaUserSessionPersisterProvider.loadUserSessions(JpaUserSessionPersisterProvider.java:208)
>      at
> org.keycloak.models.sessions.infinispan.initializer.OfflineUserSessionLoader.loadSessions(OfflineUserSessionLoader.java:61)
>      at
> org.keycloak.models.sessions.infinispan.initializer.SessionInitializerWorker$1.run(SessionInitializerWorker.java:74)
>      at
> org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227)
>      at
> org.keycloak.models.sessions.infinispan.initializer.SessionInitializerWorker.call(SessionInitializerWorker.java:70)
>      at
> org.keycloak.models.sessions.infinispan.initializer.SessionInitializerWorker.call(SessionInitializerWorker.java:34)
>      at java.util.concurrent.FutureTask.run(FutureTask.java:266)
>      at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>      at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>      at java.lang.Thread.run(Thread.java:748)
>
>
> I tried making the host resolve to 127.0.0.1 so it would fail to connect
> but it still refused to start. So it seems if LDAP goes down or is
> misconfigured then KC won't start even if I could log in locally or through
> an identity provider?
>
> I tried:
> 1) disabling user and Realm cache
> 2) looking on the internet for some way to disable LDAP or a Realm
> temporarily
> 3) still looking in the code to see if there is a startup parameter I could
> pass it to take another path
>
> Any help to get my KC back up so I can update the password would be
> appreciated.
>
> Thanks,
> - Nathan
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list