[keycloak-user] LDAP username mapping from active directory fails

Marek Posolda mposolda at redhat.com
Wed Feb 17 15:45:24 EST 2016


I guess you changed just "Username LDAP attribute" but you didn't change 
the username mapper? See "mappers" tab under ldap federation provider.

When you create new LDAP federation provider, there are some set of 
default LDAP mappers automatically created. There is best effort to 
create set of mappers based on the initial configuration you provided. 
But once you later update the configuration, the mappers are not updated 
anymore (because it's chance you already did some changes to mapper 
configuration in the meantime).

If you can't figure mapper configuration, you can try to create 
federationProvider from the scratch with the "sAMAccountName" from the 
start.

Hope it helps,
Marek

On 17/02/16 12:37, Porfyrios Vasileiou wrote:
> Hello, i created a new ldap federation in the keycloak settings and 
> imported all users. The thing is that the username attribute was 
> mapped to the ldap cn attribute whereas the username in active 
> directory is sAMAccountName. Therefore i changed the ldapAttribute to 
> that.
>
> Now when i go to my ldap settings page and click on "Synchronize" the 
> users fail to update and i am getting this error:
>
> 13:31:53,899 ERROR 
> [org.keycloak.federation.ldap.LDAPFederationProviderFactory] (default 
> task-25) Failed during import user from LDAP: org.keycloak.mo 
> <http://org.keycloak.mo>
> dels.ModelException: User returned from LDAP has null username! Check 
> configuration of your LDAP mappings. Mapped username LDAP attribute: 
> cn, user DN
> : CN=internal2 lastname,OU=DTPH,DC=dls,DC=lan, attributes from LDAP: 
> {whenChanged=[20160217110433.0Z], whenCreated=[20160217110433.0Z], 
> sAMAccountName
> =[internal2], givenName=[internal2], sn=[lastname], 
> userAccountControl=[512], pwdLastSet=[131001806735067575]}
>
> If u put it back to cn it works, but i want to use sAMAccountName for 
> the username.
>
> Why does this happen ?
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160217/f5bbc590/attachment.html 


More information about the keycloak-user mailing list