[keycloak-user] 3.2.0 wont start if an LDAP is misconfigured
Marek Posolda
mposolda at redhat.com
Thu Aug 24 06:12:08 EDT 2017
Looks like a bug. Feel free to create JIRA. The issue happens during
preloading of offline sessions from database at server startup. We
should probably just WARN when user is unavailable or avoid lookup user
at all if possible.
As a workaround, you can delete the records in tables
OFFLINE_USER_SESSION and OFFLINE_CLIENT_SESSION . But note that offline
tokens of users will be lost.
Alternatively you can backup the tables and restore them later once you
fix your LDAP connection. But you will need to restart Keycloak server
after LDAP connection is fixed and tables are restored, because Keycloak
preloads offline sessions from DB just at startup at this moment.
Another approach can be to fix LDAP connection directly in database. It
should be somewhere in table COMPONENT_CONFIG .
Marek
On 23/08/17 23:08, Nathan Hoult wrote:
> I am trying to start KC but the LDAP account password changed so it won't
> start:
>
> 14:16:17,839 ERROR
> [org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager]
> (pool-6-thread-1) Could not query server using DN [not important] and
> filter [not important]: javax.naming.AuthenticationException: [LDAP: error
> code 49 - 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext
> error, data 52e, v1db1]
> at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3154)
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100)
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2886)
> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2800)
> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
> at
> com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
> at
> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
> at
> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
> at
> org.jboss.as.naming.InitialContext.getDefaultInitCtx(InitialContext.java:114)
> at org.jboss.as.naming.InitialContext.init(InitialContext.java:99)
> at
> javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
> at org.jboss.as.naming.InitialContext.<init>(InitialContext.java:89)
> at
> org.jboss.as.naming.InitialContextFactory.getInitialContext(InitialContextFactory.java:43)
> at
> javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
> at
> javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
> at javax.naming.InitialContext.init(InitialContext.java:244)
> at
> javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
> at
> org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.createLdapContext(LDAPOperationManager.java:547)
> at
> org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:636)
> at
> org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:629)
> at
> org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.search(LDAPOperationManager.java:226)
> at
> org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.fetchQueryResults(LDAPIdentityStore.java:198)
> at
> org.keycloak.storage.ldap.idm.query.internal.LDAPQuery.getResultList(LDAPQuery.java:164)
> at
> org.keycloak.storage.ldap.idm.query.internal.LDAPQuery.getFirstResult(LDAPQuery.java:175)
> at
> org.keycloak.storage.ldap.LDAPStorageProvider.loadLDAPUserByUsername(LDAPStorageProvider.java:725)
> at
> org.keycloak.storage.ldap.LDAPStorageProvider.loadAndValidateUser(LDAPStorageProvider.java:429)
> at
> org.keycloak.storage.ldap.LDAPStorageProvider.validate(LDAPStorageProvider.java:153)
> at
> org.keycloak.storage.UserStorageManager.importValidation(UserStorageManager.java:245)
> at
> org.keycloak.storage.UserStorageManager.getUserById(UserStorageManager.java:301)
> at
> org.keycloak.models.jpa.session.JpaUserSessionPersisterProvider.loadUserSessions(JpaUserSessionPersisterProvider.java:208)
> at
> org.keycloak.models.sessions.infinispan.initializer.OfflineUserSessionLoader.loadSessions(OfflineUserSessionLoader.java:61)
> at
> org.keycloak.models.sessions.infinispan.initializer.SessionInitializerWorker$1.run(SessionInitializerWorker.java:74)
> at
> org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227)
> at
> org.keycloak.models.sessions.infinispan.initializer.SessionInitializerWorker.call(SessionInitializerWorker.java:70)
> at
> org.keycloak.models.sessions.infinispan.initializer.SessionInitializerWorker.call(SessionInitializerWorker.java:34)
> at java.util.concurrent.FutureTask.run(FutureTask.java:266)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> at java.lang.Thread.run(Thread.java:748)
>
>
> I tried making the host resolve to 127.0.0.1 so it would fail to connect
> but it still refused to start. So it seems if LDAP goes down or is
> misconfigured then KC won't start even if I could log in locally or through
> an identity provider?
>
> I tried:
> 1) disabling user and Realm cache
> 2) looking on the internet for some way to disable LDAP or a Realm
> temporarily
> 3) still looking in the code to see if there is a startup parameter I could
> pass it to take another path
>
> Any help to get my KC back up so I can update the password would be
> appreciated.
>
> Thanks,
> - Nathan
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list