Reputation: 707
Keycloak gives "Username or password is wrong" error after pressed "unlink users" button
I'm using a standalone Keycloak 4.5.0 version on the Centos for providing secure-login with LDAP for a web application.
It was working successfully but when somebody After pressing the "unlink users" button on the Keycloak Admin Panel > User federation > LDAP, anybody can not log in with the LDAP username and password because it gives that "Username or password is wrong" error.
I tried to pressing "Sychronize All Users" button but there is no changing. So i restarted to keycloak appication from server but the problem was not change.
I checked the server logs of keycloak and it gives that :
11:22:51,152 ERROR [org.keycloak.events.EventBuilder] (default task-1) Event listener 'user' registered, but provider not found .
so please help me for this login problem and give info about the unlink users button.
thx for responses.
Upvotes: 0
Views: 5243
Answers (3)
Reputation: 1336
We solved it by deleting all users except admin using a shell script like this and then "Synchronize all Users". You could also delete them through UI if you still have admin access.
kcadm=/opt/keycloak/bin/kcadm.sh
$kcadm config credentials --server http://localhost:8080/auth --realm master --user admin
for x in $($kcadm get users -r myrealm|jq -r '.[].id'); do $kcadm delete users/$x -r myrealm; done
Upvotes: 0
Reputation: 1311
Apparently, it's possible to re-link the users manually via the database:
- Go to
COMPONENTtable, and find the configuration name of your LDAP configuration in User Federation. Copy the ID - Go to your
USER_ENTITYtable and query the account you want to restore - On the
FEDERATION_LINKcolumn of the account data, paste the COMPONENT id - Verify by hitting the "Synchronized all user" button in your User Federation configuration page
Sample query to Find Federation ID from COMPONENT table based on REALM_ID with query: SELECT id FROM COMPONENT WHERE NAME = '<mapper-ldap-name>' AND REALM_ID = '<realm-name>';.
Sample query to update federation_link column in USER_ENTITY based on REALM_ID with query:
UPDATE USER_ENTITY SET FEDERATION_LINK = '<federation-id>' WHERE REALM_ID = '<realm-name>';
Upvotes: 0
Reputation: 39
It is not possible for keycloak to get the password from ldap. After the unlink process the password can't be checked anymore and the login would fail. You have to set the "password reset action" for the users to let them specify a new one.
An interesting approach for migrating users can be found here: Migrate to Keycloak with Zero Downtime
Upvotes: 1
Related Questions
- Keycloak HTTP 401 Unauthorized while creating new user using spring boot service
- Creating keycloak users through spring boot
- Reset the user password with Keycloak Java API
- Keyclaok on K8S: not able to authenticate a user with username and password
- Spring Security with LDAP - error after login
- Keycloak: map ldap groups to springboot roles
- Keycloak - Issues syncing users with LDAP
- Why Keycloak in Spring Boot allow an (expected unauthorized) user?
- Cannot create user in Keycloak with keycloak-admin-client
- Create user in keycloak through keycloak admin client returns IllegalArgumentException