[keycloak-user] How to configure new params and edit them with Keycloak and LDAP integration

[Marek Posolda]

Hi,

The error may indicate that you configured "pwdLastSet" attribute mapper 
in Keycloak to write into the LDAP, but it looks that writing this 
attribute is unsupported. Maybe switch this mapper to read-only will help?

Marek

On 08/03/17 15:29, Celso Agra wrote:
> Hi all,
>
> I'm trying to configure KC with LDAP, but some errors are occurring.
> First, I configured my LDAP to write in the LDAP server, but for some
> reasons I got this error when I try to register an user:
>
> 2017-03-08 11:05:28,862 WARN  [org.keycloak.services] (default task-6)
>> KC-SERVICES0013: Failed authentication: org.keycloak.models.ModelException:
>> Could not modify attribute for DN [uid=11111111111,dc=zz,dc=dd,dc=aa]
>          at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.
>> modifyAttributes(LDAPOperationManager.java:410)
>          at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.
>> modifyAttributes(LDAPOperationManager.java:104)
>          at org.keycloak.federation.ldap.idm.store.ldap.
>> LDAPIdentityStore.update(LDAPIdentityStore.java:105)
>          at org.keycloak.federation.ldap.mappers.msad.
>> MSADUserAccountControlMapper$MSADUserModelDelegate.addRequiredAction(
>> MSADUserAccountControlMapper.java:235)
>          at org.keycloak.federation.ldap.mappers.msad.
>> MSADUserAccountControlMapper$MSADUserModelDelegate.addRequiredAction(
>> MSADUserAccountControlMapper.java:220)
>          at org.keycloak.models.utils.UserModelDelegate.addRequiredAction(
>> UserModelDelegate.java:112)
>          at org.keycloak.authentication.forms.RegistrationPassword.
>> success(RegistrationPassword.java:101)
>          at org.keycloak.authentication.FormAuthenticationFlow.processAction(
>> FormAuthenticationFlow.java:234)
>          at org.keycloak.authentication.DefaultAuthenticationFlow.
>> processAction(DefaultAuthenticationFlow.java:76)
>          at org.keycloak.authentication.AuthenticationProcessor.
>> authenticationAction(AuthenticationProcessor.java:759)
>          at org.keycloak.services.resources.LoginActionsService.processFlow(
>> LoginActionsService.java:356)
>          at org.keycloak.services.resources.LoginActionsService.
>> processRegistration(LoginActionsService.java:477)
>          at org.keycloak.services.resources.LoginActionsService.
>> processRegister(LoginActionsService.java:535)
>          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>
>          at sun.reflect.NativeMethodAccessorImpl.invoke(
>> NativeMethodAccessorImpl.java:62)
>          at sun.reflect.DelegatingMethodAccessorImpl.invoke(
>> DelegatingMethodAccessorImpl.java:43)
>          at java.lang.reflect.Method.invoke(Method.java:498)
>
>          at org.jboss.resteasy.core.MethodInjectorImpl.invoke(
>> MethodInjectorImpl.java:139)
>          at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(
>> ResourceMethodInvoker.java:295)
>          at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(
>> ResourceMethodInvoker.java:249)
>          at org.jboss.resteasy.core.ResourceLocatorInvoker.
>> invokeOnTargetObject(ResourceLocatorInvoker.java:138)
>          at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
>> ResourceLocatorInvoker.java:101)
>          at org.jboss.resteasy.core.SynchronousDispatcher.invoke(
>> SynchronousDispatcher.java:395)
>          at org.jboss.resteasy.core.SynchronousDispatcher.invoke(
>> SynchronousDispatcher.java:202)
>          at org.jboss.resteasy.plugins.server.servlet.
>> ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
>          at org.jboss.resteasy.plugins.server.servlet.
>> HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>          at org.jboss.resteasy.plugins.server.servlet.
>> HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>          at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>
>          at io.undertow.servlet.handlers.ServletHandler.handleRequest(
>> ServletHandler.java:85)
>          at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
>> doFilter(FilterHandler.java:129)
>          at org.keycloak.services.filters.KeycloakSessionServletFilter.
>> doFilter(KeycloakSessionServletFilter.java:90)
>          at io.undertow.servlet.core.ManagedFilter.doFilter(
>> ManagedFilter.java:60)
>          at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
>> doFilter(FilterHandler.java:131)
>          at io.undertow.servlet.handlers.FilterHandler.handleRequest(
>> FilterHandler.java:84)
>          at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.
>> handleRequest(ServletSecurityRoleHandler.java:62)
>          at io.undertow.servlet.handlers.ServletDispatchingHandler.
>> handleRequest(ServletDispatchingHandler.java:36)
>          at org.wildfly.extension.undertow.security.
>> SecurityContextAssociationHandler.handleRequest(
>> SecurityContextAssociationHandler.java:78)
>          at io.undertow.server.handlers.PredicateHandler.handleRequest(
>> PredicateHandler.java:43)
>          at io.undertow.servlet.handlers.security.
>> SSLInformationAssociationHandler.handleRequest(
>> SSLInformationAssociationHandler.java:131)
>          at io.undertow.servlet.handlers.security.
>> ServletAuthenticationCallHandler.handleRequest(
>> ServletAuthenticationCallHandler.java:57)
>          at io.undertow.server.handlers.PredicateHandler.handleRequest(
>> PredicateHandler.java:43)
>          at io.undertow.security.handlers.AbstractConfidentialityHandler
>> .handleRequest(AbstractConfidentialityHandler.java:46)
>          at io.undertow.servlet.handlers.security.
>> ServletConfidentialityConstraintHandler.handleRequest(
>> ServletConfidentialityConstraintHandler.java:64)
>          at io.undertow.security.handlers.AuthenticationMechanismsHandle
>> r.handleRequest(AuthenticationMechanismsHandler.java:60)
>          at io.undertow.servlet.handlers.security.
>> CachedAuthenticatedSessionHandler.handleRequest(
>> CachedAuthenticatedSessionHandler.java:77)
>          at io.undertow.security.handlers.NotificationReceiverHandler.
>> handleRequest(NotificationReceiverHandler.java:50)
>          at io.undertow.security.handlers.AbstractSecurityContextAssocia
>> tionHandler.handleRequest(AbstractSecurityContextAssocia
>> tionHandler.java:43)
>          at io.undertow.server.handlers.PredicateHandler.handleRequest(
>> PredicateHandler.java:43)
>          at org.wildfly.extension.undertow.security.jacc.
>> JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>          at io.undertow.server.handlers.PredicateHandler.handleRequest(
>> PredicateHandler.java:43)
>          at io.undertow.server.handlers.PredicateHandler.handleRequest(
>> PredicateHandler.java:43)
>          at io.undertow.servlet.handlers.ServletInitialHandler.
>> handleFirstRequest(ServletInitialHandler.java:284)
>          at io.undertow.servlet.handlers.ServletInitialHandler.
>> dispatchRequest(ServletInitialHandler.java:263)
>          at io.undertow.servlet.handlers.ServletInitialHandler.access$
>> 000(ServletInitialHandler.java:81)
>          at io.undertow.servlet.handlers.ServletInitialHandler$1.
>> handleRequest(ServletInitialHandler.java:174)
>          at io.undertow.server.Connectors.executeRootHandler(Connectors.
>> java:202)
>          at io.undertow.server.HttpServerExchange$1.run(
>> HttpServerExchange.java:793)
>          at java.util.concurrent.ThreadPoolExecutor.runWorker(
>> ThreadPoolExecutor.java:1142)
>          at java.util.concurrent.ThreadPoolExecutor$Worker.run(
>> ThreadPoolExecutor.java:617)
>          at java.lang.Thread.run(Thread.java:745)
>
> Caused by: javax.naming.directory.InvalidAttributeIdentifierException:
>> [LDAP: error code 17 - pwdLastSet: attribute type undefined]; remaining
>> name 'uid=11111111111,dc=zz,dc=dd,dc=aa'
>          at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3205)
>
>          at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3082)
>
>          at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888)
>
>          at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1475)
>
>          at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(
>> ComponentDirContext.java:277)
>          at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.
>> modifyAttributes(PartialCompositeDirContext.java:192)
>          at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.
>> modifyAttributes(PartialCompositeDirContext.java:181)
>          at javax.naming.directory.InitialDirContext.modifyAttributes(
>> InitialDirContext.java:167)
>          at javax.naming.directory.InitialDirContext.modifyAttributes(
>> InitialDirContext.java:167)
>          at org.keycloak.federation.ldap.idm.store.ldap.
>> LDAPOperationManager$6.execute(LDAPOperationManager.java:405)
>          at org.keycloak.federation.ldap.idm.store.ldap.
>> LDAPOperationManager$6.execute(LDAPOperationManager.java:402)
>          at org.keycloak.federation.ldap.idm.store.ldap.
>> LDAPOperationManager.execute(LDAPOperationManager.java:535)
>          at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.
>> modifyAttributes(LDAPOperationManager.java:402)
>          ... 59 more
>
> 2017-03-08 11:05:28,865 WARN  [org.keycloak.events] (default task-6)
>> type=LOGIN_ERROR, realmId=myrealm, clientId=teste-portal, userId=null,
>> ipAddress=xxx.xxx.xxx.xxx, error=invalid_user_credentials,
>> auth_method=openid-connect, auth_type=code, redirect_uri=http://127.0.0.1:
>> 8080/teste-portal/
>
> and then, I got this result in my ldap:
>
> dn: uid=11111111111,dc=zz,dc=dd,dc=aa
>
> givenName:: IA==
>
> uid: 11111111111
>
> objectClass: top
>
> objectClass: inetOrgPerson
>
> objectClass: person
>
> objectClass: organizationalPerson
>
> objectClass: phpgwAccount
>
> objectClass: shadowAccount
>
> sn:: IA==
>
> cn:: IA==
>
> structuralObjectClass: inetOrgPerson
>
> entryUUID: 07f0e7caxxxxxxxxxxx
>
> creatorsName: cn=admin,dc=zz,dc=dd,dc=aa
>
> createTimestamp: 20170308140529Z
>
> entryCSN: 20170308140529.527857Z#000000#000#000000
>
> modifiersName: cn=admin,dc=zz,dc=dd,dc=aa
>
> modifyTimestamp: 20170308140529Z
>
>
> So, I wrote the uid as 11111111111, but I didn't set the sn, cn and
> givenName as 'IA=='. It looks like some problem occurs in my configuration.
>
> please, need help!!
>
>
> Best Regards,
>