Environment
Advanced Authentication 6.x
AAF
Situation
ALL USERS role was removed from the Password Only chain. This change causes the inability of local\admin to login. There were no users from the LDAP repository in the FULL ADMINS group, thus login to the Advanced Authentication - Administrative Portal is locked.
Resolution
Note: It’s strongly recommended to create a snapshot before following the steps.
1. Get the Password Only chain ID:
docker exec aaf_audb_1 psql -U root -d aucore_prod -P pager=off -c "SELECT id from logon_chain WHERE name='Password Only'"
2. Get the ALL USERS role ID:
docker exec aaf_audb_1 psql -U root -d aucore_prod -P pager=off -c "SELECT id from role WHERE name='ALL USERS'"
3. Insert the ALL USERS role into the Password Only chain:
docker exec aaf_audb_1 psql -U root -d aucore_prod -P pager=off -c "insert into logon_chain__role (logon_chain_id, role_id, row_ver) values ('REPLACE BY VALUE FROM STEP 1', 'REPLACE BY VALUE FROM STEP 2', '2021-01-01 00:00:00.00000');"
Cause
The LDAP Password method is available for only users of the LDAP repositories. The users of the LOCAL repository including local\admin by default have only the Password method enrolled. It must be available for local\admin.
Additional Information
It's strongly recommended adding the Advanced Authentication administrators' accounts from your LDAP repository to the FULL ADMIN group. Ensure to keep the LDAP Password Only chain to allow these accounts login to AdminUI event.
At the same time, you must ensure to remember the password of the local\admin account. Because it's used to create and restore backups and add new Advanced Authentication servers to the cluster.
If local\admin cannot access the AA Administrative Portal because of the expired password, use the TID 7022003.
If an assigned chain was changed in the AdminUI event, use the TID 7025151.
If the password lost or forgotten, use the TID 7023511.If the password is expired then please see https://support.microfocus.com/kb/doc.php?id=7022003