[keycloak-user] How to configure new params and edit them with Keycloak and LDAP integration
Celso Agra
celso.agra at gmail.com
Thu Mar 9 10:03:19 EST 2017
Hi,
I solved this error, just removing the MSAD account controls, but now I'm
getting a new error, when I finished my registration:
here is the log:
2017-03-09 11:58:00,375 ERROR [io.undertow.request] (default task-1)
> UT005023: Exception handling request to /auth/realms/myrealm/login-actions/required-action:
> org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException
> at
> org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
> at
> org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
> at
> org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168)
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411)
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
> at
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> at
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
> at
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
> at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
> at
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
> at
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
> at
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> at
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
> at
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> at
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> at
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
> at
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
> at
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
> at
> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> at
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
> at
> io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
> at
> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: java.lang.NullPointerException
> at org.keycloak.events.EventBuilder.user(EventBuilder.java:103)
> at
> org.keycloak.services.resources.LoginActionsService.initEvent(LoginActionsService.java:815)
> at
> org.keycloak.services.resources.LoginActionsService.access$500(LoginActionsService.java:88)
> at
> org.keycloak.services.resources.LoginActionsService$Checks.verifyRequiredAction(LoginActionsService.java:297)
> at
> org.keycloak.services.resources.LoginActionsService.processRequireAction(LoginActionsService.java:853)
> at
> org.keycloak.services.resources.LoginActionsService.requiredActionGET(LoginActionsService.java:846)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
> at
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
> at
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
> ... 37 more
2017-03-09 9:47 GMT-03:00 Celso Agra <celso.agra at gmail.com>:
> Got it!
>
> But I haven't seen the pwdLastSet here in my LDAP`mappers. I'm using the
> "Edit Mode" as WRITABLE, but I'm not setting this attribute.
> Here is my attributes:
>
>> cn
>> MSAD account controls
>> cpf
>> creation date
>> email
>> first name
>> last name
>> modify date
>> phpgwAccountStatus
>> username
>
>
> Thanks!!
>
> Best Regards,
>
> Celso Agra
>
> 2017-03-09 5:46 GMT-03:00 Marek Posolda <mposolda at redhat.com>:
>
>> Hi,
>>
>> The error may indicate that you configured "pwdLastSet" attribute mapper
>> in Keycloak to write into the LDAP, but it looks that writing this
>> attribute is unsupported. Maybe switch this mapper to read-only will help?
>>
>> Marek
>>
>>
>> On 08/03/17 15:29, Celso Agra wrote:
>>
>>> Hi all,
>>>
>>> I'm trying to configure KC with LDAP, but some errors are occurring.
>>> First, I configured my LDAP to write in the LDAP server, but for some
>>> reasons I got this error when I try to register an user:
>>>
>>> 2017-03-08 11:05:28,862 WARN [org.keycloak.services] (default task-6)
>>>
>>>> KC-SERVICES0013: Failed authentication: org.keycloak.models.ModelExcep
>>>> tion:
>>>> Could not modify attribute for DN [uid=11111111111,dc=zz,dc=dd,dc=aa]
>>>>
>>> at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationMan
>>> ager.
>>>
>>>> modifyAttributes(LDAPOperationManager.java:410)
>>>>
>>> at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationMan
>>> ager.
>>>
>>>> modifyAttributes(LDAPOperationManager.java:104)
>>>>
>>> at org.keycloak.federation.ldap.idm.store.ldap.
>>>
>>>> LDAPIdentityStore.update(LDAPIdentityStore.java:105)
>>>>
>>> at org.keycloak.federation.ldap.mappers.msad.
>>>
>>>> MSADUserAccountControlMapper$MSADUserModelDelegate.addRequiredAction(
>>>> MSADUserAccountControlMapper.java:235)
>>>>
>>> at org.keycloak.federation.ldap.mappers.msad.
>>>
>>>> MSADUserAccountControlMapper$MSADUserModelDelegate.addRequiredAction(
>>>> MSADUserAccountControlMapper.java:220)
>>>>
>>> at org.keycloak.models.utils.UserModelDelegate.addRequiredActio
>>> n(
>>>
>>>> UserModelDelegate.java:112)
>>>>
>>> at org.keycloak.authentication.forms.RegistrationPassword.
>>>
>>>> success(RegistrationPassword.java:101)
>>>>
>>> at org.keycloak.authentication.FormAuthenticationFlow.processAc
>>> tion(
>>>
>>>> FormAuthenticationFlow.java:234)
>>>>
>>> at org.keycloak.authentication.DefaultAuthenticationFlow.
>>>
>>>> processAction(DefaultAuthenticationFlow.java:76)
>>>>
>>> at org.keycloak.authentication.AuthenticationProcessor.
>>>
>>>> authenticationAction(AuthenticationProcessor.java:759)
>>>>
>>> at org.keycloak.services.resources.LoginActionsService.processF
>>> low(
>>>
>>>> LoginActionsService.java:356)
>>>>
>>> at org.keycloak.services.resources.LoginActionsService.
>>>
>>>> processRegistration(LoginActionsService.java:477)
>>>>
>>> at org.keycloak.services.resources.LoginActionsService.
>>>
>>>> processRegister(LoginActionsService.java:535)
>>>>
>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>
>>> at sun.reflect.NativeMethodAccessorImpl.invoke(
>>>
>>>> NativeMethodAccessorImpl.java:62)
>>>>
>>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(
>>>
>>>> DelegatingMethodAccessorImpl.java:43)
>>>>
>>> at java.lang.reflect.Method.invoke(Method.java:498)
>>>
>>> at org.jboss.resteasy.core.MethodInjectorImpl.invoke(
>>>
>>>> MethodInjectorImpl.java:139)
>>>>
>>> at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget
>>> (
>>>
>>>> ResourceMethodInvoker.java:295)
>>>>
>>> at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(
>>>
>>>> ResourceMethodInvoker.java:249)
>>>>
>>> at org.jboss.resteasy.core.ResourceLocatorInvoker.
>>>
>>>> invokeOnTargetObject(ResourceLocatorInvoker.java:138)
>>>>
>>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
>>>
>>>> ResourceLocatorInvoker.java:101)
>>>>
>>> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(
>>>
>>>> SynchronousDispatcher.java:395)
>>>>
>>> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(
>>>
>>>> SynchronousDispatcher.java:202)
>>>>
>>> at org.jboss.resteasy.plugins.server.servlet.
>>>
>>>> ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
>>>>
>>> at org.jboss.resteasy.plugins.server.servlet.
>>>
>>>> HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>>>>
>>> at org.jboss.resteasy.plugins.server.servlet.
>>>
>>>> HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>>>>
>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>>>
>>> at io.undertow.servlet.handlers.ServletHandler.handleRequest(
>>>
>>>> ServletHandler.java:85)
>>>>
>>> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
>>>
>>>> doFilter(FilterHandler.java:129)
>>>>
>>> at org.keycloak.services.filters.KeycloakSessionServletFilter.
>>>
>>>> doFilter(KeycloakSessionServletFilter.java:90)
>>>>
>>> at io.undertow.servlet.core.ManagedFilter.doFilter(
>>>
>>>> ManagedFilter.java:60)
>>>>
>>> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
>>>
>>>> doFilter(FilterHandler.java:131)
>>>>
>>> at io.undertow.servlet.handlers.FilterHandler.handleRequest(
>>>
>>>> FilterHandler.java:84)
>>>>
>>> at io.undertow.servlet.handlers.security.ServletSecurityRoleHan
>>> dler.
>>>
>>>> handleRequest(ServletSecurityRoleHandler.java:62)
>>>>
>>> at io.undertow.servlet.handlers.ServletDispatchingHandler.
>>>
>>>> handleRequest(ServletDispatchingHandler.java:36)
>>>>
>>> at org.wildfly.extension.undertow.security.
>>>
>>>> SecurityContextAssociationHandler.handleRequest(
>>>> SecurityContextAssociationHandler.java:78)
>>>>
>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(
>>>
>>>> PredicateHandler.java:43)
>>>>
>>> at io.undertow.servlet.handlers.security.
>>>
>>>> SSLInformationAssociationHandler.handleRequest(
>>>> SSLInformationAssociationHandler.java:131)
>>>>
>>> at io.undertow.servlet.handlers.security.
>>>
>>>> ServletAuthenticationCallHandler.handleRequest(
>>>> ServletAuthenticationCallHandler.java:57)
>>>>
>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(
>>>
>>>> PredicateHandler.java:43)
>>>>
>>> at io.undertow.security.handlers.AbstractConfidentialityHandler
>>>
>>>> .handleRequest(AbstractConfidentialityHandler.java:46)
>>>>
>>> at io.undertow.servlet.handlers.security.
>>>
>>>> ServletConfidentialityConstraintHandler.handleRequest(
>>>> ServletConfidentialityConstraintHandler.java:64)
>>>>
>>> at io.undertow.security.handlers.AuthenticationMechanismsHandle
>>>
>>>> r.handleRequest(AuthenticationMechanismsHandler.java:60)
>>>>
>>> at io.undertow.servlet.handlers.security.
>>>
>>>> CachedAuthenticatedSessionHandler.handleRequest(
>>>> CachedAuthenticatedSessionHandler.java:77)
>>>>
>>> at io.undertow.security.handlers.NotificationReceiverHandler.
>>>
>>>> handleRequest(NotificationReceiverHandler.java:50)
>>>>
>>> at io.undertow.security.handlers.AbstractSecurityContextAssocia
>>>
>>>> tionHandler.handleRequest(AbstractSecurityContextAssocia
>>>> tionHandler.java:43)
>>>>
>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(
>>>
>>>> PredicateHandler.java:43)
>>>>
>>> at org.wildfly.extension.undertow.security.jacc.
>>>
>>>> JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>>>>
>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(
>>>
>>>> PredicateHandler.java:43)
>>>>
>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(
>>>
>>>> PredicateHandler.java:43)
>>>>
>>> at io.undertow.servlet.handlers.ServletInitialHandler.
>>>
>>>> handleFirstRequest(ServletInitialHandler.java:284)
>>>>
>>> at io.undertow.servlet.handlers.ServletInitialHandler.
>>>
>>>> dispatchRequest(ServletInitialHandler.java:263)
>>>>
>>> at io.undertow.servlet.handlers.ServletInitialHandler.access$
>>>
>>>> 000(ServletInitialHandler.java:81)
>>>>
>>> at io.undertow.servlet.handlers.ServletInitialHandler$1.
>>>
>>>> handleRequest(ServletInitialHandler.java:174)
>>>>
>>> at io.undertow.server.Connectors.executeRootHandler(Connectors.
>>>
>>>> java:202)
>>>>
>>> at io.undertow.server.HttpServerExchange$1.run(
>>>
>>>> HttpServerExchange.java:793)
>>>>
>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(
>>>
>>>> ThreadPoolExecutor.java:1142)
>>>>
>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(
>>>
>>>> ThreadPoolExecutor.java:617)
>>>>
>>> at java.lang.Thread.run(Thread.java:745)
>>>
>>> Caused by: javax.naming.directory.InvalidAttributeIdentifierException:
>>>
>>>> [LDAP: error code 17 - pwdLastSet: attribute type undefined]; remaining
>>>> name 'uid=11111111111,dc=zz,dc=dd,dc=aa'
>>>>
>>> at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3205)
>>>
>>> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:308
>>> 2)
>>>
>>> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:288
>>> 8)
>>>
>>> at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:14
>>> 75)
>>>
>>> at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttribu
>>> tes(
>>>
>>>> ComponentDirContext.java:277)
>>>>
>>> at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.
>>>
>>>> modifyAttributes(PartialCompositeDirContext.java:192)
>>>>
>>> at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.
>>>
>>>> modifyAttributes(PartialCompositeDirContext.java:181)
>>>>
>>> at javax.naming.directory.InitialDirContext.modifyAttributes(
>>>
>>>> InitialDirContext.java:167)
>>>>
>>> at javax.naming.directory.InitialDirContext.modifyAttributes(
>>>
>>>> InitialDirContext.java:167)
>>>>
>>> at org.keycloak.federation.ldap.idm.store.ldap.
>>>
>>>> LDAPOperationManager$6.execute(LDAPOperationManager.java:405)
>>>>
>>> at org.keycloak.federation.ldap.idm.store.ldap.
>>>
>>>> LDAPOperationManager$6.execute(LDAPOperationManager.java:402)
>>>>
>>> at org.keycloak.federation.ldap.idm.store.ldap.
>>>
>>>> LDAPOperationManager.execute(LDAPOperationManager.java:535)
>>>>
>>> at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationMan
>>> ager.
>>>
>>>> modifyAttributes(LDAPOperationManager.java:402)
>>>>
>>> ... 59 more
>>>
>>> 2017-03-08 11:05:28,865 WARN [org.keycloak.events] (default task-6)
>>>
>>>> type=LOGIN_ERROR, realmId=myrealm, clientId=teste-portal, userId=null,
>>>> ipAddress=xxx.xxx.xxx.xxx, error=invalid_user_credentials,
>>>> auth_method=openid-connect, auth_type=code, redirect_uri=
>>>> http://127.0.0.1:
>>>> 8080/teste-portal/
>>>>
>>>
>>> and then, I got this result in my ldap:
>>>
>>> dn: uid=11111111111,dc=zz,dc=dd,dc=aa
>>>
>>> givenName:: IA==
>>>
>>> uid: 11111111111
>>>
>>> objectClass: top
>>>
>>> objectClass: inetOrgPerson
>>>
>>> objectClass: person
>>>
>>> objectClass: organizationalPerson
>>>
>>> objectClass: phpgwAccount
>>>
>>> objectClass: shadowAccount
>>>
>>> sn:: IA==
>>>
>>> cn:: IA==
>>>
>>> structuralObjectClass: inetOrgPerson
>>>
>>> entryUUID: 07f0e7caxxxxxxxxxxx
>>>
>>> creatorsName: cn=admin,dc=zz,dc=dd,dc=aa
>>>
>>> createTimestamp: 20170308140529Z
>>>
>>> entryCSN: 20170308140529.527857Z#000000#000#000000
>>>
>>> modifiersName: cn=admin,dc=zz,dc=dd,dc=aa
>>>
>>> modifyTimestamp: 20170308140529Z
>>>
>>>
>>> So, I wrote the uid as 11111111111, but I didn't set the sn, cn and
>>> givenName as 'IA=='. It looks like some problem occurs in my
>>> configuration.
>>>
>>> please, need help!!
>>>
>>>
>>> Best Regards,
>>>
>>>
>>
>
>
> --
> ---
> *Celso Agra*
>
--
---
*Celso Agra*
More information about the keycloak-user
mailing list