[keycloak-user] How to configure new params and edit them with Keycloak and LDAP integration

Celso Agra celso.agra at gmail.com
Thu Mar 9 07:47:55 EST 2017 

Got it!

But I haven't seen the pwdLastSet here in my LDAP`mappers. I'm using the
"Edit Mode" as WRITABLE, but I'm not setting this attribute.
Here is my attributes:

> cn
> MSAD account controls
> cpf
> creation date
> email
> first name
> last name
> modify date
> phpgwAccountStatus
> username


Thanks!!

Best Regards,

Celso Agra

2017-03-09 5:46 GMT-03:00 Marek Posolda <mposolda at redhat.com>:

> Hi,
>
> The error may indicate that you configured "pwdLastSet" attribute mapper
> in Keycloak to write into the LDAP, but it looks that writing this
> attribute is unsupported. Maybe switch this mapper to read-only will help?
>
> Marek
>
>
> On 08/03/17 15:29, Celso Agra wrote:
>
>> Hi all,
>>
>> I'm trying to configure KC with LDAP, but some errors are occurring.
>> First, I configured my LDAP to write in the LDAP server, but for some
>> reasons I got this error when I try to register an user:
>>
>> 2017-03-08 11:05:28,862 WARN  [org.keycloak.services] (default task-6)
>>
>>> KC-SERVICES0013: Failed authentication: org.keycloak.models.ModelExcep
>>> tion:
>>> Could not modify attribute for DN [uid=11111111111,dc=zz,dc=dd,dc=aa]
>>>
>>          at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationMan
>> ager.
>>
>>> modifyAttributes(LDAPOperationManager.java:410)
>>>
>>          at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationMan
>> ager.
>>
>>> modifyAttributes(LDAPOperationManager.java:104)
>>>
>>          at org.keycloak.federation.ldap.idm.store.ldap.
>>
>>> LDAPIdentityStore.update(LDAPIdentityStore.java:105)
>>>
>>          at org.keycloak.federation.ldap.mappers.msad.
>>
>>> MSADUserAccountControlMapper$MSADUserModelDelegate.addRequiredAction(
>>> MSADUserAccountControlMapper.java:235)
>>>
>>          at org.keycloak.federation.ldap.mappers.msad.
>>
>>> MSADUserAccountControlMapper$MSADUserModelDelegate.addRequiredAction(
>>> MSADUserAccountControlMapper.java:220)
>>>
>>          at org.keycloak.models.utils.UserModelDelegate.addRequiredActio
>> n(
>>
>>> UserModelDelegate.java:112)
>>>
>>          at org.keycloak.authentication.forms.RegistrationPassword.
>>
>>> success(RegistrationPassword.java:101)
>>>
>>          at org.keycloak.authentication.FormAuthenticationFlow.processAc
>> tion(
>>
>>> FormAuthenticationFlow.java:234)
>>>
>>          at org.keycloak.authentication.DefaultAuthenticationFlow.
>>
>>> processAction(DefaultAuthenticationFlow.java:76)
>>>
>>          at org.keycloak.authentication.AuthenticationProcessor.
>>
>>> authenticationAction(AuthenticationProcessor.java:759)
>>>
>>          at org.keycloak.services.resources.LoginActionsService.processF
>> low(
>>
>>> LoginActionsService.java:356)
>>>
>>          at org.keycloak.services.resources.LoginActionsService.
>>
>>> processRegistration(LoginActionsService.java:477)
>>>
>>          at org.keycloak.services.resources.LoginActionsService.
>>
>>> processRegister(LoginActionsService.java:535)
>>>
>>          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>
>>          at sun.reflect.NativeMethodAccessorImpl.invoke(
>>
>>> NativeMethodAccessorImpl.java:62)
>>>
>>          at sun.reflect.DelegatingMethodAccessorImpl.invoke(
>>
>>> DelegatingMethodAccessorImpl.java:43)
>>>
>>          at java.lang.reflect.Method.invoke(Method.java:498)
>>
>>          at org.jboss.resteasy.core.MethodInjectorImpl.invoke(
>>
>>> MethodInjectorImpl.java:139)
>>>
>>          at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(
>>
>>> ResourceMethodInvoker.java:295)
>>>
>>          at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(
>>
>>> ResourceMethodInvoker.java:249)
>>>
>>          at org.jboss.resteasy.core.ResourceLocatorInvoker.
>>
>>> invokeOnTargetObject(ResourceLocatorInvoker.java:138)
>>>
>>          at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
>>
>>> ResourceLocatorInvoker.java:101)
>>>
>>          at org.jboss.resteasy.core.SynchronousDispatcher.invoke(
>>
>>> SynchronousDispatcher.java:395)
>>>
>>          at org.jboss.resteasy.core.SynchronousDispatcher.invoke(
>>
>>> SynchronousDispatcher.java:202)
>>>
>>          at org.jboss.resteasy.plugins.server.servlet.
>>
>>> ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
>>>
>>          at org.jboss.resteasy.plugins.server.servlet.
>>
>>> HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>>>
>>          at org.jboss.resteasy.plugins.server.servlet.
>>
>>> HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>>>
>>          at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>>
>>          at io.undertow.servlet.handlers.ServletHandler.handleRequest(
>>
>>> ServletHandler.java:85)
>>>
>>          at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
>>
>>> doFilter(FilterHandler.java:129)
>>>
>>          at org.keycloak.services.filters.KeycloakSessionServletFilter.
>>
>>> doFilter(KeycloakSessionServletFilter.java:90)
>>>
>>          at io.undertow.servlet.core.ManagedFilter.doFilter(
>>
>>> ManagedFilter.java:60)
>>>
>>          at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
>>
>>> doFilter(FilterHandler.java:131)
>>>
>>          at io.undertow.servlet.handlers.FilterHandler.handleRequest(
>>
>>> FilterHandler.java:84)
>>>
>>          at io.undertow.servlet.handlers.security.ServletSecurityRoleHan
>> dler.
>>
>>> handleRequest(ServletSecurityRoleHandler.java:62)
>>>
>>          at io.undertow.servlet.handlers.ServletDispatchingHandler.
>>
>>> handleRequest(ServletDispatchingHandler.java:36)
>>>
>>          at org.wildfly.extension.undertow.security.
>>
>>> SecurityContextAssociationHandler.handleRequest(
>>> SecurityContextAssociationHandler.java:78)
>>>
>>          at io.undertow.server.handlers.PredicateHandler.handleRequest(
>>
>>> PredicateHandler.java:43)
>>>
>>          at io.undertow.servlet.handlers.security.
>>
>>> SSLInformationAssociationHandler.handleRequest(
>>> SSLInformationAssociationHandler.java:131)
>>>
>>          at io.undertow.servlet.handlers.security.
>>
>>> ServletAuthenticationCallHandler.handleRequest(
>>> ServletAuthenticationCallHandler.java:57)
>>>
>>          at io.undertow.server.handlers.PredicateHandler.handleRequest(
>>
>>> PredicateHandler.java:43)
>>>
>>          at io.undertow.security.handlers.AbstractConfidentialityHandler
>>
>>> .handleRequest(AbstractConfidentialityHandler.java:46)
>>>
>>          at io.undertow.servlet.handlers.security.
>>
>>> ServletConfidentialityConstraintHandler.handleRequest(
>>> ServletConfidentialityConstraintHandler.java:64)
>>>
>>          at io.undertow.security.handlers.AuthenticationMechanismsHandle
>>
>>> r.handleRequest(AuthenticationMechanismsHandler.java:60)
>>>
>>          at io.undertow.servlet.handlers.security.
>>
>>> CachedAuthenticatedSessionHandler.handleRequest(
>>> CachedAuthenticatedSessionHandler.java:77)
>>>
>>          at io.undertow.security.handlers.NotificationReceiverHandler.
>>
>>> handleRequest(NotificationReceiverHandler.java:50)
>>>
>>          at io.undertow.security.handlers.AbstractSecurityContextAssocia
>>
>>> tionHandler.handleRequest(AbstractSecurityContextAssocia
>>> tionHandler.java:43)
>>>
>>          at io.undertow.server.handlers.PredicateHandler.handleRequest(
>>
>>> PredicateHandler.java:43)
>>>
>>          at org.wildfly.extension.undertow.security.jacc.
>>
>>> JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>>>
>>          at io.undertow.server.handlers.PredicateHandler.handleRequest(
>>
>>> PredicateHandler.java:43)
>>>
>>          at io.undertow.server.handlers.PredicateHandler.handleRequest(
>>
>>> PredicateHandler.java:43)
>>>
>>          at io.undertow.servlet.handlers.ServletInitialHandler.
>>
>>> handleFirstRequest(ServletInitialHandler.java:284)
>>>
>>          at io.undertow.servlet.handlers.ServletInitialHandler.
>>
>>> dispatchRequest(ServletInitialHandler.java:263)
>>>
>>          at io.undertow.servlet.handlers.ServletInitialHandler.access$
>>
>>> 000(ServletInitialHandler.java:81)
>>>
>>          at io.undertow.servlet.handlers.ServletInitialHandler$1.
>>
>>> handleRequest(ServletInitialHandler.java:174)
>>>
>>          at io.undertow.server.Connectors.executeRootHandler(Connectors.
>>
>>> java:202)
>>>
>>          at io.undertow.server.HttpServerExchange$1.run(
>>
>>> HttpServerExchange.java:793)
>>>
>>          at java.util.concurrent.ThreadPoolExecutor.runWorker(
>>
>>> ThreadPoolExecutor.java:1142)
>>>
>>          at java.util.concurrent.ThreadPoolExecutor$Worker.run(
>>
>>> ThreadPoolExecutor.java:617)
>>>
>>          at java.lang.Thread.run(Thread.java:745)
>>
>> Caused by: javax.naming.directory.InvalidAttributeIdentifierException:
>>
>>> [LDAP: error code 17 - pwdLastSet: attribute type undefined]; remaining
>>> name 'uid=11111111111,dc=zz,dc=dd,dc=aa'
>>>
>>          at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3205)
>>
>>          at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:
>> 3082)
>>
>>          at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:
>> 2888)
>>
>>          at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:14
>> 75)
>>
>>          at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttribu
>> tes(
>>
>>> ComponentDirContext.java:277)
>>>
>>          at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.
>>
>>> modifyAttributes(PartialCompositeDirContext.java:192)
>>>
>>          at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.
>>
>>> modifyAttributes(PartialCompositeDirContext.java:181)
>>>
>>          at javax.naming.directory.InitialDirContext.modifyAttributes(
>>
>>> InitialDirContext.java:167)
>>>
>>          at javax.naming.directory.InitialDirContext.modifyAttributes(
>>
>>> InitialDirContext.java:167)
>>>
>>          at org.keycloak.federation.ldap.idm.store.ldap.
>>
>>> LDAPOperationManager$6.execute(LDAPOperationManager.java:405)
>>>
>>          at org.keycloak.federation.ldap.idm.store.ldap.
>>
>>> LDAPOperationManager$6.execute(LDAPOperationManager.java:402)
>>>
>>          at org.keycloak.federation.ldap.idm.store.ldap.
>>
>>> LDAPOperationManager.execute(LDAPOperationManager.java:535)
>>>
>>          at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationMan
>> ager.
>>
>>> modifyAttributes(LDAPOperationManager.java:402)
>>>
>>          ... 59 more
>>
>> 2017-03-08 11:05:28,865 WARN  [org.keycloak.events] (default task-6)
>>
>>> type=LOGIN_ERROR, realmId=myrealm, clientId=teste-portal, userId=null,
>>> ipAddress=xxx.xxx.xxx.xxx, error=invalid_user_credentials,
>>> auth_method=openid-connect, auth_type=code, redirect_uri=
>>> http://127.0.0.1:
>>> 8080/teste-portal/
>>>
>>
>> and then, I got this result in my ldap:
>>
>> dn: uid=11111111111,dc=zz,dc=dd,dc=aa
>>
>> givenName:: IA==
>>
>> uid: 11111111111
>>
>> objectClass: top
>>
>> objectClass: inetOrgPerson
>>
>> objectClass: person
>>
>> objectClass: organizationalPerson
>>
>> objectClass: phpgwAccount
>>
>> objectClass: shadowAccount
>>
>> sn:: IA==
>>
>> cn:: IA==
>>
>> structuralObjectClass: inetOrgPerson
>>
>> entryUUID: 07f0e7caxxxxxxxxxxx
>>
>> creatorsName: cn=admin,dc=zz,dc=dd,dc=aa
>>
>> createTimestamp: 20170308140529Z
>>
>> entryCSN: 20170308140529.527857Z#000000#000#000000
>>
>> modifiersName: cn=admin,dc=zz,dc=dd,dc=aa
>>
>> modifyTimestamp: 20170308140529Z
>>
>>
>> So, I wrote the uid as 11111111111, but I didn't set the sn, cn and
>> givenName as 'IA=='. It looks like some problem occurs in my
>> configuration.
>>
>> please, need help!!
>>
>>
>> Best Regards,
>>
>>
>


-- 
---
*Celso Agra*

More information about the keycloak-user mailing list