Unable to start the IAM Service after updating the new LDAP Bind DN account password.

Can see below entries/exceptions in server.log:

2020-05-06 06:01:17,268 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 54) MSC000001: Failed to start service jboss.undertow.deployment.default-server.default-host./auth: org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./auth: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
:
:
Caused by: org.keycloak.models.ModelException: LDAP Query failed
:
:
Caused by: org.keycloak.models.ModelException: Could not query server using DN
:
:
Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]
:
:

All supported DevTest releases.

 

This issue issue happens because when IAM service is starting it will try to establish the LDAP connection with Bind DN details and fails to do so as the password has been changed before restart.

It is not the right practice to Stop or restart IAM service for updating the Bind credentials.

The ideal way to update the Bind Credentials is to login into IAM console as "admin" or any local user that has got the privilege to make LDAP changes and make the change in LDAP configuration section for Bind credentials. 

Make sure to run "Test Connection" and "Test Authentication" after changing the details.

Save the configuration.

You can now logout and login with LDAP users to make sure LDAP connection is established properly. 

In case of Bind DN credential changes without intimation to users and you restarted the IAM service after password got changed, you will face the same error. There is below workaround to bring back IAM service but it must be done as the last option.

- Login into IAM database.(here we are using syntax for MS SQL Server)

- First check the LDAP configuration that is enabled using below query:

select * from COMPONENT_CONFIG where NAME='enabled'

- Then we will disable LDAP by running below query:

UPDATE COMPONENT_CONFIG SET VALUE='false' WHERE NAME='enabled'

- Now start IAM service, it should start fine.

- Login as login into IAM console as "admin" or any local user that has got the privilege to make LDAP changes and make the change in LDAP configuration section for Bind credentials.

- Make sure to run "Test Connection" and "Test Authentication" after changing the details.

- Make sure the Enabled flag is turned ON in the console itself. It would be false as we changed from backend.

- Save the configuration.

- Restart IAM service once and it would come up fine.