I'm running a keycloak instance in a test environment, which connects to an Microsoft Active Directory. Users are being imported correctly, so no issues there.
When I'm using the "Edit mode" READ_ONLY to connect to ldap, everything works fine. Users can login, and when they want to update their password they get an error, as expected.
When I change the "Edit mode" to WRITABLE, suddenly the action "Update Password" in the "Required user actions" becomes active. I am not able to remove that action because keycloak won't let me remove it. When I save the user without that option enabled, it becomes automatically enabled again.
I've already checked that "Update Password" is not set as default in the Realm Authentication settings.
Related
I am trying to set up SSO between two Keycloaks. The target Keycloak, where I want to configure the SSO has user federation set up in place and the user management is disabled. I was thinking of configuring IdP brokering between my source Keycloak and the target Keycloak so that I can use the same authentication token.
I have configured login redirection and when I try to login to the target system, I was promptly redirected to the source Keycloak. Unfortunately, upon entering the username and password, I was presented with a dialog box stating that my user already exists and offering me to either Review the profile or Add to existing profile.
Initially, I thought it is because the user modification is disabled by the user federation. I have manually created the same username on the system, which is providing a list of the users but even with this in place, I am still unable to log in and am presented with exactly the same error message.
How do you access or enable the old KeyCloak user account console? In this blog post about the new user account console, they say "The old account console is still available for those who need it", but I cannot find out where to enable that.
You need to :
Go to your Realm;
And in Account Theme explicitly chose "keycloak"
Click Save
In the Account dropdown menu you will see at least the follow:
base;
keycloak;
keycloak.v2.
By default the new version is selected keycloak.v2. keycloak refers to the "old" version.
I'm using the Rocket.Chat REST API for some automated user management. This was working great after I installed Rocket.Chat and my admin user had a username/password combo. Then, I activated the "iframe authentication" system in the admin panel. Now, when I try to use the REST API "login" endpoint, I get the error "User has no password set". Any ideas why this is happening? When I look at the user document in the MongoDB for Rocket.Chat, there is no "password" field (seems to have been deleted when I activated the iframe authentication).
UPDATE: I disabled the "iframe authentication" system and set a new password on my account. Looking at the DB now, that user has a "password" entry, so the password is there. But, now I can't log in because it says my password is incorrect. In summary, this software has a lot of bugs, it seems.
In our current environment all the users who would like to access ClearCase will require local administrative rights and i'm looking into the options to remove the local admin privs constraint so that all the users should be able to access if they are part of clearcase domain groups like CCUsers.
Local admin privilege should only be required for installing ClearCase, especially when it comes to the MVFS (MultiView FileSystem) part.
But it is also used for launching ClearCase services. Without a privilege elevation, you would see:
C:\>net start albd
System error 5 has occurred.
Access is denied.
From Windows Services
Unable to open service Albd for writing on Local Computer
Error 5: Access is denied.
First, check if you can set those services as "Automatic": they should be started during Windows Startup, even if the user is not an administrator.
This thread recommends:
Click on Atria Location Broker service and select Properties.
On the General tab, "Startup type" should be "Automatic".
On the Log On tab, select the radio button to Log on as "This account" and enter the ALBD user account and password that you should have already setup (e.g. your-domain\clearcase_albd). If you do this properly, the Atria Location Broker service should start automatically for any user.
See also "Troubleshooting ALBD startup failures on Microsoft Windows".
I'm kind of new with websphere. I was following an internal guide for setting up one of our company apps in websphere, but I changed one parameter in the admin console and after restarting the server, we cannot access with the administration console.
I checked the first option, when before the second one was, with user admin, and password admin also. Now, because It says "Server identity generated automatically" I have no idea what combination of user and password I need to enter in the administration console..
The administration console I'm referring to is the one located in server:port/ibm/console.
Thanks, this is really a serious problem for me, I would really appreciate any help I can get...
You should still be able to use whatever password you were using for admin user before making the change. Server user id is not used for restricting access to administrative console (see What is security property 'Server user identity' used for in Websphere Application Server?).
Nonetheless, since you can't access admin console at the moment (I'm assuming you mean that admin colsole login page shows up but you can't get admin user authenticated due to wrong password), first thing I'd suggest is turning of global security, so that you can use admin console to fix your settings and re-enable security. Once security is turned off, you won't be asked for a password during admin console login. Changing security settings in WebSphere Application Server with wsadmin technote gives step by step instructions.
If you are not sure about what password you have used for admin user, you must reset the password in the user repository you have configured (for example if you've configured LDAP, you must reset password at LDAP), before enabling security. If you are using a federated repository (this is default if you've not changed it), most probably admin user resides in file based repository, which is the first member of federated repository. In this case, you can just follow steps at How to reset the administrator's password in the file registry technote to reset your password. Otherwise you can try alternative documented at Updating your WAS administrator password (the link is from Lotus documentation but still is applicable).
Given that you have the command line 'xmlstarlet' in your terminal and,
WAS_HOME = Is your Websphere root location
PROFILENAME = IS your
profile's name
CELLNAME = Is your cell's name
Then,
xmlstarlet edit --update "/security:Security[#enabled='true']/#enabled" --value "false" $WAS_HOME/profiles/$PROFILENAME/config/cells/$CELLNAME/security.xml > /tmp/security.xml
cp /tmp/security.xml $WAS_HOME/profiles/$PROFILENAME/config/cells/$CELLNAME/security.xml
Summary: You are simply editing the correct security.xml file by changing the enabled="true" attribute to enabled="false" programmatically using xmlstarlet. Note that sed,awk,ed and other GNU tools lack the necessary ability to properly deal with the nested tree structure of XML.