[keycloak-user] How to configure new params and edit them with Keycloak and LDAP integration
Marek Posolda
mposolda at redhat.com
Fri Mar 10 05:41:56 EST 2017
This looks like bad LDAP mapping for username and UUID. Which LDAP are
you using btv?
Marek
On 09/03/17 16:03, Celso Agra wrote:
> Hi,
>
> I solved this error, just removing the MSAD account controls, but now
> I'm getting a new error, when I finished my registration:
> here is the log:
>
> 2017-03-09 11:58:00,375 ERROR [io.undertow.request] (default
> task-1) UT005023: Exception handling request to
> /auth/realms/myrealm/login-actions/required-action:
> org.jboss.resteasy.spi.UnhandledException:
> java.lang.NullPointerException
> at
> org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
> at
> org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
> at
> org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168)
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411)
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
> at
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> at
> javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> at
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
> at
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
> at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
> at
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
> at
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
> at
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> at
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
> at
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> at
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> at
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
> at
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
> at
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
> at
> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> at
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
> at
> io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
> at
> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: java.lang.NullPointerException
> at
> org.keycloak.events.EventBuilder.user(EventBuilder.java:103)
> at
> org.keycloak.services.resources.LoginActionsService.initEvent(LoginActionsService.java:815)
> at
> org.keycloak.services.resources.LoginActionsService.access$500(LoginActionsService.java:88)
> at
> org.keycloak.services.resources.LoginActionsService$Checks.verifyRequiredAction(LoginActionsService.java:297)
> at
> org.keycloak.services.resources.LoginActionsService.processRequireAction(LoginActionsService.java:853)
> at
> org.keycloak.services.resources.LoginActionsService.requiredActionGET(LoginActionsService.java:846)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
> at
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
> at
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
> ... 37 more
>
>
>
>
>
> 2017-03-09 9:47 GMT-03:00 Celso Agra <celso.agra at gmail.com
> <mailto:celso.agra at gmail.com>>:
>
> Got it!
>
> But I haven't seen the pwdLastSet here in my LDAP`mappers. I'm
> using the "Edit Mode" as WRITABLE, but I'm not setting this attribute.
> Here is my attributes:
>
> cn
> MSAD account controls
> cpf
> creation date
> email
> first name
> last name
> modify date
> phpgwAccountStatus
> username
>
>
> Thanks!!
>
> Best Regards,
>
> Celso Agra
>
> 2017-03-09 5:46 GMT-03:00 Marek Posolda <mposolda at redhat.com
> <mailto:mposolda at redhat.com>>:
>
> Hi,
>
> The error may indicate that you configured "pwdLastSet"
> attribute mapper in Keycloak to write into the LDAP, but it
> looks that writing this attribute is unsupported. Maybe switch
> this mapper to read-only will help?
>
> Marek
>
>
> On 08/03/17 15:29, Celso Agra wrote:
>
> Hi all,
>
> I'm trying to configure KC with LDAP, but some errors are
> occurring.
> First, I configured my LDAP to write in the LDAP server,
> but for some
> reasons I got this error when I try to register an user:
>
> 2017-03-08 11:05:28,862 WARN [org.keycloak.services]
> (default task-6)
>
> KC-SERVICES0013: Failed authentication:
> org.keycloak.models.ModelException:
> Could not modify attribute for DN
> [uid=11111111111,dc=zz,dc=dd,dc=aa]
>
> at
> org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.
>
> modifyAttributes(LDAPOperationManager.java:410)
>
> at
> org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.
>
> modifyAttributes(LDAPOperationManager.java:104)
>
> at org.keycloak.federation.ldap.idm.store.ldap.
>
> LDAPIdentityStore.update(LDAPIdentityStore.java:105)
>
> at org.keycloak.federation.ldap.mappers.msad.
>
> MSADUserAccountControlMapper$MSADUserModelDelegate.addRequiredAction(
> MSADUserAccountControlMapper.java:235)
>
> at org.keycloak.federation.ldap.mappers.msad.
>
> MSADUserAccountControlMapper$MSADUserModelDelegate.addRequiredAction(
> MSADUserAccountControlMapper.java:220)
>
> at
> org.keycloak.models.utils.UserModelDelegate.addRequiredAction(
>
> UserModelDelegate.java:112)
>
> at org.keycloak.authentication.fo
> <http://org.keycloak.authentication.fo>rms.RegistrationPassword.
>
> success(RegistrationPassword.java:101)
>
> at org.keycloak.authentication.Fo
> <http://org.keycloak.authentication.Fo>rmAuthenticationFlow.processAction(
>
> FormAuthenticationFlow.java:234)
>
> at org.keycloak.authentication.De
> <http://org.keycloak.authentication.De>faultAuthenticationFlow.
>
> processAction(DefaultAuthenticationFlow.java:76)
>
> at org.keycloak.authentication.Au
> <http://org.keycloak.authentication.Au>thenticationProcessor.
>
> authenticationAction(AuthenticationProcessor.java:759)
>
> at
> org.keycloak.services.resources.LoginActionsService.processFlow(
>
> LoginActionsService.java:356)
>
> at
> org.keycloak.services.resources.LoginActionsService.
>
> processRegistration(LoginActionsService.java:477)
>
> at
> org.keycloak.services.resources.LoginActionsService.
>
> processRegister(LoginActionsService.java:535)
>
> at
> sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>
> at sun.reflect.NativeMethodAccessorImpl.invoke(
>
> NativeMethodAccessorImpl.java:62)
>
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(
>
> DelegatingMethodAccessorImpl.java:43)
>
> at java.lang.reflect.Method.invoke(Method.java:498)
>
> at org.jboss.resteasy.core.MethodInjectorImpl.invoke(
>
> MethodInjectorImpl.java:139)
>
> at
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(
>
> ResourceMethodInvoker.java:295)
>
> at
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(
>
> ResourceMethodInvoker.java:249)
>
> at org.jboss.resteasy.core.ResourceLocatorInvoker.
>
> invokeOnTargetObject(ResourceLocatorInvoker.java:138)
>
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
>
> ResourceLocatorInvoker.java:101)
>
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(
>
> SynchronousDispatcher.java:395)
>
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(
>
> SynchronousDispatcher.java:202)
>
> at org.jboss.resteasy.plugins.server.servlet.
>
> ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
>
> at org.jboss.resteasy.plugins.server.servlet.
>
> HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>
> at org.jboss.resteasy.plugins.server.servlet.
>
> HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>
> at
> javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>
> at
> io.undertow.servlet.handlers.ServletHandler.handleRequest(
>
> ServletHandler.java:85)
>
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
>
> doFilter(FilterHandler.java:129)
>
> at
> org.keycloak.services.filters.KeycloakSessionServletFilter.
>
> doFilter(KeycloakSessionServletFilter.java:90)
>
> at io.undertow.servlet.core.ManagedFilter.doFilter(
>
> ManagedFilter.java:60)
>
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
>
> doFilter(FilterHandler.java:131)
>
> at
> io.undertow.servlet.handlers.FilterHandler.handleRequest(
>
> FilterHandler.java:84)
>
> at
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.
>
> handleRequest(ServletSecurityRoleHandler.java:62)
>
> at
> io.undertow.servlet.handlers.ServletDispatchingHandler.
>
> handleRequest(ServletDispatchingHandler.java:36)
>
> at org.wildfly.extension.undertow.security.
>
> SecurityContextAssociationHandler.handleRequest(
> SecurityContextAssociationHandler.java:78)
>
> at io.undertow.server.handlers.Pr
> <http://io.undertow.server.handlers.Pr>edicateHandler.handleRequest(
>
> PredicateHandler.java:43)
>
> at io.undertow.servlet.handlers.security.
>
> SSLInformationAssociationHandler.handleRequest(
> SSLInformationAssociationHandler.java:131)
>
> at io.undertow.servlet.handlers.security.
>
> ServletAuthenticationCallHandler.handleRequest(
> ServletAuthenticationCallHandler.java:57)
>
> at io.undertow.server.handlers.Pr
> <http://io.undertow.server.handlers.Pr>edicateHandler.handleRequest(
>
> PredicateHandler.java:43)
>
> at
> io.undertow.security.handlers.AbstractConfidentialityHandler
>
> .handleRequest(AbstractConfidentialityHandler.java:46)
>
> at io.undertow.servlet.handlers.security.
>
> ServletConfidentialityConstraintHandler.handleRequest(
> ServletConfidentialityConstraintHandler.java:64)
>
> at
> io.undertow.security.handlers.AuthenticationMechanismsHandle
>
> r.handleRequest(AuthenticationMechanismsHandler.java:60)
>
> at io.undertow.servlet.handlers.security.
>
> CachedAuthenticatedSessionHandler.handleRequest(
> CachedAuthenticatedSessionHandler.java:77)
>
> at
> io.undertow.security.handlers.NotificationReceiverHandler.
>
> handleRequest(NotificationReceiverHandler.java:50)
>
> at
> io.undertow.security.handlers.AbstractSecurityContextAssocia
>
> tionHandler.handleRequest(AbstractSecurityContextAssocia
> tionHandler.java:43)
>
> at io.undertow.server.handlers.Pr
> <http://io.undertow.server.handlers.Pr>edicateHandler.handleRequest(
>
> PredicateHandler.java:43)
>
> at org.wildfly.extension.undertow.security.jacc.
>
> JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>
> at io.undertow.server.handlers.Pr
> <http://io.undertow.server.handlers.Pr>edicateHandler.handleRequest(
>
> PredicateHandler.java:43)
>
> at io.undertow.server.handlers.Pr
> <http://io.undertow.server.handlers.Pr>edicateHandler.handleRequest(
>
> PredicateHandler.java:43)
>
> at
> io.undertow.servlet.handlers.ServletInitialHandler.
>
> handleFirstRequest(ServletInitialHandler.java:284)
>
> at
> io.undertow.servlet.handlers.ServletInitialHandler.
>
> dispatchRequest(ServletInitialHandler.java:263)
>
> at
> io.undertow.servlet.handlers.ServletInitialHandler.access$
>
> 000(ServletInitialHandler.java:81)
>
> at
> io.undertow.servlet.handlers.ServletInitialHandler$1.
>
> handleRequest(ServletInitialHandler.java:174)
>
> at
> io.undertow.server.Connectors.executeRootHandler(Connectors.
>
> java:202)
>
> at io.undertow.server.HttpServerExchange$1.run(
>
> HttpServerExchange.java:793)
>
> at java.util.concurrent.ThreadPoolExecutor.runWorker(
>
> ThreadPoolExecutor.java:1142)
>
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(
>
> ThreadPoolExecutor.java:617)
>
> at java.lang.Thread.run(Thread.java:745)
>
> Caused by:
> javax.naming.directory.InvalidAttributeIdentifierException:
>
> [LDAP: error code 17 - pwdLastSet: attribute type
> undefined]; remaining
> name 'uid=11111111111,dc=zz,dc=dd,dc=aa'
>
> at
> com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3205)
>
> at
> com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3082)
>
> at
> com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888)
>
> at
> com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1475)
>
> at
> com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(
>
> ComponentDirContext.java:277)
>
> at
> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.
>
> modifyAttributes(PartialCompositeDirContext.java:192)
>
> at
> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.
>
> modifyAttributes(PartialCompositeDirContext.java:181)
>
> at
> javax.naming.directory.InitialDirContext.modifyAttributes(
>
> InitialDirContext.java:167)
>
> at
> javax.naming.directory.InitialDirContext.modifyAttributes(
>
> InitialDirContext.java:167)
>
> at org.keycloak.federation.ldap.idm.store.ldap.
>
> LDAPOperationManager$6.execute(LDAPOperationManager.java:405)
>
> at org.keycloak.federation.ldap.idm.store.ldap.
>
> LDAPOperationManager$6.execute(LDAPOperationManager.java:402)
>
> at org.keycloak.federation.ldap.idm.store.ldap.
>
> LDAPOperationManager.execute(LDAPOperationManager.java:535)
>
> at
> org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.
>
> modifyAttributes(LDAPOperationManager.java:402)
>
> ... 59 more
>
> 2017-03-08 11:05:28,865 WARN [org.keycloak.events]
> (default task-6)
>
> type=LOGIN_ERROR, realmId=myrealm,
> clientId=teste-portal, userId=null,
> ipAddress=xxx.xxx.xxx.xxx, error=invalid_user_credentials,
> auth_method=openid-connect, auth_type=code,
> redirect_uri=http://127.0.0.1:
> 8080/teste-portal/
>
>
> and then, I got this result in my ldap:
>
> dn: uid=11111111111,dc=zz,dc=dd,dc=aa
>
> givenName:: IA==
>
> uid: 11111111111
>
> objectClass: top
>
> objectClass: inetOrgPerson
>
> objectClass: person
>
> objectClass: organizationalPerson
>
> objectClass: phpgwAccount
>
> objectClass: shadowAccount
>
> sn:: IA==
>
> cn:: IA==
>
> structuralObjectClass: inetOrgPerson
>
> entryUUID: 07f0e7caxxxxxxxxxxx
>
> creatorsName: cn=admin,dc=zz,dc=dd,dc=aa
>
> createTimestamp: 20170308140529Z
>
> entryCSN: 20170308140529.527857Z#000000#000#000000
>
> modifiersName: cn=admin,dc=zz,dc=dd,dc=aa
>
> modifyTimestamp: 20170308140529Z
>
>
> So, I wrote the uid as 11111111111, but I didn't set the
> sn, cn and
> givenName as 'IA=='. It looks like some problem occurs in
> my configuration.
>
> please, need help!!
>
>
> Best Regards,
>
>
>
>
>
> --
> ---
> *Celso Agra*
>
>
>
>
> --
> ---
> *Celso Agra*
More information about the keycloak-user
mailing list