[keycloak-user] User cannot be imported from LDAP - ModelDuplicateException - although userStorage does not contain any users yet

Marek Posolda mposolda at redhat.com
Wed Oct 12 16:35:43 EDT 2016 

It seems as mis-configuration of the federation provider. You didn't 
finish the logging line from SPNEGOAuthenticator and the value of srcName

On 12/10/16 13:20, Daniela.Weil at itzbund.de wrote:
> Dear All,
>
> I installed keycloak 2.2.1 Final, added a new realm with an openLDAP federation provider with Kerberos integration.
> The "username LDAP attribute" I set to the ldap attribute (bfvNovellLogin) that contains the Kerberos username. The "UUID LDAP attribute" is set to the "uid" attribute.
>
> Kerberos auth succeeded:
> 2016-10-12 10:23:42,363 DEBUG [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] (default task-3) SPNEGO Security context accepted with token: oRQwEqADCgEAoQsGCSqGSIb3EgECAg==, established: true, credDelegState: false, mutualAuthState: false, lifetime: 2147483647, confState: true, integState: true, ....
You didn't finish this logging line from SPNEGOAuthenticator and the 
value of "srcName", which is next in the logging message, is the most 
important one :-)

However I guess this name was "dweil" right? And LDAP is later looking 
for username "WeiDayq", so there are 2 different usernames but same email...

It seems like the mis-configuration of the LDAP federation providers 
and/or mappers. Is the "username LDAP attribute" configured to same 
value like the LDAP attribute in the username mapper?

Marek
>
> 2016-10-12 10:23:42,364 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-3) getUserByUsername: WeiDayq
>
> The LDAP object could be created:
> 2016-10-12 10:23:42,515 TRACE [org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore] (default task-3) Found ldap object and populated with the attributes. LDAP Object: LDAP Object [ dn: uid=dweil,ou=mitarbeiter,ou=personen,dc=bfinv,dc=de , uuid: dweil, attributes: {uid=[dweil], bfvNovellLogin=[WeiDayq], mail=[daniela.weil at zivit.de], bfvDstnr=[1481], sn=[Weil], cn=[Daniela Weil], modifyTimestamp=[20130308075833Z], createTimestamp=[20070704114832Z]}, readOnly attribute names: [sn, bfvdstnr, bfvnovelllogin, mail, uid, modifytimestamp, cn, createtimestamp] ]
>
> So far no users are in the keycloak datastore.
>
> On mapping the email attribute the user "dweil" is not recognized as the formerly by Kerberos authenticated  user "weidayq":
> 2016-10-12 10:23:42,765 TRACE [org.keycloak.federation.ldap.LDAPFederationProvider] (default task-3) Using mapper  { name=DStNummer, federationMapperType=user-attribute-ldap-mapper, config={always.read.value.from.ldap=false, read.only=true, ldap.attribute=bfvDstnr, is.mandatory.in.ldap=false, user.model.attribute=DstNr} }  during import user from LDAP
> 2016-10-12 10:23:42,769 TRACE [org.keycloak.federation.ldap.LDAPFederationProvider] (default task-3) Using mapper  { name=email, federationMapperType=user-attribute-ldap-mapper, config={always.read.value.from.ldap=false, read.only=true, ldap.attribute=mail, is.mandatory.in.ldap=false, user.model.attribute=email} }  during import user from LDAP
> 2016-10-12 10:23:42,806 DEBUG [org.keycloak.services] (default task-3) KC-SERVICES0013: Failed authentication: org.keycloak.models.ModelDuplicateException: Can't import user 'weidayq' from LDAP because email 'daniela.weil at zivit.de' already exists in Keycloak. Existing user with this email is 'dweil'
>          at org.keycloak.federation.ldap.mappers.UserAttributeLDAPFederationMapper.checkDuplicateEmail(UserAttributeLDAPFederationMapper.java:168)
>          at org.keycloak.federation.ldap.mappers.UserAttributeLDAPFederationMapper.onImportUserFromLDAP(UserAttributeLDAPFederationMapper.java:100)
>          at org.keycloak.federation.ldap.mappers.LDAPFederationMapperBridge.onImportUserFromLDAP(LDAPFederationMapperBridge.java:61)
>          at org.keycloak.federation.ldap.LDAPFederationProvider.importUserFromLDAP(LDAPFederationProvider.java:327)
>          at org.keycloak.federation.ldap.LDAPFederationProvider.getUserByUsername(LDAPFederationProvider.java:310)
>          at org.keycloak.federation.ldap.LDAPFederationProvider.findOrCreateAuthenticatedUser(LDAPFederationProvider.java:499)
>          at org.keycloak.federation.ldap.LDAPFederationProvider.validCredentials(LDAPFederationProvider.java:443)
>          at org.keycloak.models.UserFederationManager.validCredentials(UserFederationManager.java:595)
>          at org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:89).....
>
> Why does keycloak assume that my one and only user is two different users (having a different Id)?
>
> Kind Regards,
> Daniela Weil
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list