[keycloak-user] How to configure new params and edit them with Keycloak and LDAP integration
Marek Posolda
mposolda at redhat.com
Tue Mar 14 15:47:40 EDT 2017
On 14/03/17 18:50, Celso Agra wrote:
> Hi all,
>
> I saw an example about LDAP and Keycloak integration here
> <https://github.com/keycloak/keycloak/tree/master/examples/ldap>.
>
> So, it is running with ApacheDS LDAP server. I was thinking, would be
> possible run this integration with *slapd* tool? Also, I'm using
> schema instead of ldif structure. It could be a problem?
This example is just a "quickstart" to quickly show LDAP in action. It
uses ApacheDS just because it's Java based LDAP, which easily runs
everywhere just by executing "mvn exec:java" without additional steps
needed and without a need to install something at OS level etc.
I never tried this example with slapd. I think the most things will
work, but devil is in details, so not sure at 100%.
Marek
>
> Thanks!
>
> 2017-03-10 10:40 GMT-03:00 Celso Agra <celso.agra at gmail.com
> <mailto:celso.agra at gmail.com>>:
>
> I'm using slapd.
>
> Here is the object classes that I'm using: top, inetOrgPerson,
> person, organizationalPerson, phpgwAccount, shadowAccount
>
>
> 2017-03-10 7:41 GMT-03:00 Marek Posolda <mposolda at redhat.com
> <mailto:mposolda at redhat.com>>:
>
> This looks like bad LDAP mapping for username and UUID. Which
> LDAP are you using btv?
>
> Marek
>
>
> On 09/03/17 16:03, Celso Agra wrote:
>> Hi,
>>
>> I solved this error, just removing the MSAD account controls,
>> but now I'm getting a new error, when I finished my registration:
>> here is the log:
>>
>> 2017-03-09 11:58:00,375 ERROR [io.undertow.request]
>> (default task-1) UT005023: Exception handling request to
>> /auth/realms/myrealm/login-actions/required-action:
>> org.jboss.resteasy.spi.UnhandledException:
>> java.lang.NullPointerException
>> at
>> org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
>> at
>> org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
>> at
>> org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168)
>> at
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411)
>> at
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
>> at
>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
>> at
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>> at
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>> at
>> javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>> at
>> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
>> at
>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>> at
>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
>> at
>> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>> at
>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>> at
>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
>> at
>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>> at
>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>> at
>> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>> at io.undertow.server.handlers.Pr
>> <http://io.undertow.server.handlers.Pr>edicateHandler.handleRequest(PredicateHandler.java:43)
>> at
>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>> at
>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>> at io.undertow.server.handlers.Pr
>> <http://io.undertow.server.handlers.Pr>edicateHandler.handleRequest(PredicateHandler.java:43)
>> at
>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>> at
>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>> at
>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>> at
>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>> at
>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>> at
>> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>> at io.undertow.server.handlers.Pr
>> <http://io.undertow.server.handlers.Pr>edicateHandler.handleRequest(PredicateHandler.java:43)
>> at
>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>> at io.undertow.server.handlers.Pr
>> <http://io.undertow.server.handlers.Pr>edicateHandler.handleRequest(PredicateHandler.java:43)
>> at io.undertow.server.handlers.Pr
>> <http://io.undertow.server.handlers.Pr>edicateHandler.handleRequest(PredicateHandler.java:43)
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
>> at
>> io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
>> at
>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
>> at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>> at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>> at java.lang.Thread.run(Thread.java:745)
>> Caused by: java.lang.NullPointerException
>> at
>> org.keycloak.events.EventBuilder.user(EventBuilder.java:103)
>> at
>> org.keycloak.services.resources.LoginActionsService.initEvent(LoginActionsService.java:815)
>> at
>> org.keycloak.services.resources.LoginActionsService.access$500(LoginActionsService.java:88)
>> at
>> org.keycloak.services.resources.LoginActionsService$Checks.verifyRequiredAction(LoginActionsService.java:297)
>> at
>> org.keycloak.services.resources.LoginActionsService.processRequireAction(LoginActionsService.java:853)
>> at
>> org.keycloak.services.resources.LoginActionsService.requiredActionGET(LoginActionsService.java:846)
>> at
>> sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> at
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>> at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>> at java.lang.reflect.Method.invoke(Method.java:498)
>> at
>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
>> at
>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
>> at
>> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
>> at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
>> at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
>> at
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
>> ... 37 more
>>
>>
>>
>>
>>
>> 2017-03-09 9:47 GMT-03:00 Celso Agra <celso.agra at gmail.com
>> <mailto:celso.agra at gmail.com>>:
>>
>> Got it!
>>
>> But I haven't seen the pwdLastSet here in my
>> LDAP`mappers. I'm using the "Edit Mode" as WRITABLE, but
>> I'm not setting this attribute.
>> Here is my attributes:
>>
>> cn
>> MSAD account controls
>> cpf
>> creation date
>> email
>> first name
>> last name
>> modify date
>> phpgwAccountStatus
>> username
>>
>>
>> Thanks!!
>>
>> Best Regards,
>>
>> Celso Agra
>>
>> 2017-03-09 5:46 GMT-03:00 Marek Posolda
>> <mposolda at redhat.com <mailto:mposolda at redhat.com>>:
>>
>> Hi,
>>
>> The error may indicate that you configured
>> "pwdLastSet" attribute mapper in Keycloak to write
>> into the LDAP, but it looks that writing this
>> attribute is unsupported. Maybe switch this mapper to
>> read-only will help?
>>
>> Marek
>>
>>
>> On 08/03/17 15:29, Celso Agra wrote:
>>
>> Hi all,
>>
>> I'm trying to configure KC with LDAP, but some
>> errors are occurring.
>> First, I configured my LDAP to write in the LDAP
>> server, but for some
>> reasons I got this error when I try to register
>> an user:
>>
>> 2017-03-08 11:05:28,862 WARN
>> [org.keycloak.services] (default task-6)
>>
>> KC-SERVICES0013: Failed authentication:
>> org.keycloak.models.ModelException:
>> Could not modify attribute for DN
>> [uid=11111111111,dc=zz,dc=dd,dc=aa]
>>
>> at
>> org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.
>>
>> modifyAttributes(LDAPOperationManager.java:410)
>>
>> at
>> org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.
>>
>> modifyAttributes(LDAPOperationManager.java:104)
>>
>> at
>> org.keycloak.federation.ldap.idm.store.ldap.
>>
>> LDAPIdentityStore.update(LDAPIdentityStore.java:105)
>>
>> at
>> org.keycloak.federation.ldap.mappers.msad.
>>
>> MSADUserAccountControlMapper$MSADUserModelDelegate.addRequiredAction(
>> MSADUserAccountControlMapper.java:235)
>>
>> at
>> org.keycloak.federation.ldap.mappers.msad.
>>
>> MSADUserAccountControlMapper$MSADUserModelDelegate.addRequiredAction(
>> MSADUserAccountControlMapper.java:220)
>>
>> at
>> org.keycloak.models.utils.UserModelDelegate.addRequiredAction(
>>
>> UserModelDelegate.java:112)
>>
>> at org.keycloak.authentication.fo
>> <http://org.keycloak.authentication.fo>rms.RegistrationPassword.
>>
>> success(RegistrationPassword.java:101)
>>
>> at org.keycloak.authentication.Fo
>> <http://org.keycloak.authentication.Fo>rmAuthenticationFlow.processAction(
>>
>> FormAuthenticationFlow.java:234)
>>
>> at org.keycloak.authentication.De
>> <http://org.keycloak.authentication.De>faultAuthenticationFlow.
>>
>> processAction(DefaultAuthenticationFlow.java:76)
>>
>> at org.keycloak.authentication.Au
>> <http://org.keycloak.authentication.Au>thenticationProcessor.
>>
>> authenticationAction(AuthenticationProcessor.java:759)
>>
>> at
>> org.keycloak.services.resources.LoginActionsService.processFlow(
>>
>> LoginActionsService.java:356)
>>
>> at
>> org.keycloak.services.resources.LoginActionsService.
>>
>> processRegistration(LoginActionsService.java:477)
>>
>> at
>> org.keycloak.services.resources.LoginActionsService.
>>
>> processRegister(LoginActionsService.java:535)
>>
>> at
>> sun.reflect.NativeMethodAccessorImpl.invoke0(Native
>> Method)
>>
>> at
>> sun.reflect.NativeMethodAccessorImpl.invoke(
>>
>> NativeMethodAccessorImpl.java:62)
>>
>> at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(
>>
>> DelegatingMethodAccessorImpl.java:43)
>>
>> at
>> java.lang.reflect.Method.invoke(Method.java:498)
>>
>> at
>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(
>>
>> MethodInjectorImpl.java:139)
>>
>> at
>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(
>>
>> ResourceMethodInvoker.java:295)
>>
>> at
>> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(
>>
>> ResourceMethodInvoker.java:249)
>>
>> at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.
>>
>> invokeOnTargetObject(ResourceLocatorInvoker.java:138)
>>
>> at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
>>
>> ResourceLocatorInvoker.java:101)
>>
>> at
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(
>>
>> SynchronousDispatcher.java:395)
>>
>> at
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(
>>
>> SynchronousDispatcher.java:202)
>>
>> at
>> org.jboss.resteasy.plugins.server.servlet.
>>
>> ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
>>
>> at
>> org.jboss.resteasy.plugins.server.servlet.
>>
>> HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>>
>> at
>> org.jboss.resteasy.plugins.server.servlet.
>>
>> HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>>
>> at
>> javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>>
>> at
>> io.undertow.servlet.handlers.ServletHandler.handleRequest(
>>
>> ServletHandler.java:85)
>>
>> at
>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
>>
>> doFilter(FilterHandler.java:129)
>>
>> at
>> org.keycloak.services.filters.KeycloakSessionServletFilter.
>>
>> doFilter(KeycloakSessionServletFilter.java:90)
>>
>> at
>> io.undertow.servlet.core.ManagedFilter.doFilter(
>>
>> ManagedFilter.java:60)
>>
>> at
>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
>>
>> doFilter(FilterHandler.java:131)
>>
>> at
>> io.undertow.servlet.handlers.FilterHandler.handleRequest(
>>
>> FilterHandler.java:84)
>>
>> at
>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.
>>
>> handleRequest(ServletSecurityRoleHandler.java:62)
>>
>> at
>> io.undertow.servlet.handlers.ServletDispatchingHandler.
>>
>> handleRequest(ServletDispatchingHandler.java:36)
>>
>> at org.wildfly.extension.undertow.security.
>>
>> SecurityContextAssociationHandler.handleRequest(
>> SecurityContextAssociationHandler.java:78)
>>
>> at io.undertow.server.handlers.Pr
>> <http://io.undertow.server.handlers.Pr>edicateHandler.handleRequest(
>>
>> PredicateHandler.java:43)
>>
>> at io.undertow.servlet.handlers.security.
>>
>> SSLInformationAssociationHandler.handleRequest(
>> SSLInformationAssociationHandler.java:131)
>>
>> at io.undertow.servlet.handlers.security.
>>
>> ServletAuthenticationCallHandler.handleRequest(
>> ServletAuthenticationCallHandler.java:57)
>>
>> at io.undertow.server.handlers.Pr
>> <http://io.undertow.server.handlers.Pr>edicateHandler.handleRequest(
>>
>> PredicateHandler.java:43)
>>
>> at
>> io.undertow.security.handlers.AbstractConfidentialityHandler
>>
>> .handleRequest(AbstractConfidentialityHandler.java:46)
>>
>> at io.undertow.servlet.handlers.security.
>>
>> ServletConfidentialityConstraintHandler.handleRequest(
>> ServletConfidentialityConstraintHandler.java:64)
>>
>> at
>> io.undertow.security.handlers.AuthenticationMechanismsHandle
>>
>> r.handleRequest(AuthenticationMechanismsHandler.java:60)
>>
>> at io.undertow.servlet.handlers.security.
>>
>> CachedAuthenticatedSessionHandler.handleRequest(
>> CachedAuthenticatedSessionHandler.java:77)
>>
>> at
>> io.undertow.security.handlers.NotificationReceiverHandler.
>>
>> handleRequest(NotificationReceiverHandler.java:50)
>>
>> at
>> io.undertow.security.handlers.AbstractSecurityContextAssocia
>>
>> tionHandler.handleRequest(AbstractSecurityContextAssocia
>> tionHandler.java:43)
>>
>> at io.undertow.server.handlers.Pr
>> <http://io.undertow.server.handlers.Pr>edicateHandler.handleRequest(
>>
>> PredicateHandler.java:43)
>>
>> at
>> org.wildfly.extension.undertow.security.jacc.
>>
>> JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>>
>> at io.undertow.server.handlers.Pr
>> <http://io.undertow.server.handlers.Pr>edicateHandler.handleRequest(
>>
>> PredicateHandler.java:43)
>>
>> at io.undertow.server.handlers.Pr
>> <http://io.undertow.server.handlers.Pr>edicateHandler.handleRequest(
>>
>> PredicateHandler.java:43)
>>
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler.
>>
>> handleFirstRequest(ServletInitialHandler.java:284)
>>
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler.
>>
>> dispatchRequest(ServletInitialHandler.java:263)
>>
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler.access$
>>
>> 000(ServletInitialHandler.java:81)
>>
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler$1.
>>
>> handleRequest(ServletInitialHandler.java:174)
>>
>> at
>> io.undertow.server.Connectors.executeRootHandler(Connectors.
>>
>> java:202)
>>
>> at
>> io.undertow.server.HttpServerExchange$1.run(
>>
>> HttpServerExchange.java:793)
>>
>> at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(
>>
>> ThreadPoolExecutor.java:1142)
>>
>> at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(
>>
>> ThreadPoolExecutor.java:617)
>>
>> at java.lang.Thread.run(Thread.java:745)
>>
>> Caused by:
>> javax.naming.directory.InvalidAttributeIdentifierException:
>>
>> [LDAP: error code 17 - pwdLastSet: attribute
>> type undefined]; remaining
>> name 'uid=11111111111,dc=zz,dc=dd,dc=aa'
>>
>> at
>> com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3205)
>>
>> at
>> com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3082)
>>
>> at
>> com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888)
>>
>> at
>> com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1475)
>>
>> at
>> com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(
>>
>> ComponentDirContext.java:277)
>>
>> at
>> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.
>>
>> modifyAttributes(PartialCompositeDirContext.java:192)
>>
>> at
>> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.
>>
>> modifyAttributes(PartialCompositeDirContext.java:181)
>>
>> at
>> javax.naming.directory.InitialDirContext.modifyAttributes(
>>
>> InitialDirContext.java:167)
>>
>> at
>> javax.naming.directory.InitialDirContext.modifyAttributes(
>>
>> InitialDirContext.java:167)
>>
>> at
>> org.keycloak.federation.ldap.idm.store.ldap.
>>
>> LDAPOperationManager$6.execute(LDAPOperationManager.java:405)
>>
>> at
>> org.keycloak.federation.ldap.idm.store.ldap.
>>
>> LDAPOperationManager$6.execute(LDAPOperationManager.java:402)
>>
>> at
>> org.keycloak.federation.ldap.idm.store.ldap.
>>
>> LDAPOperationManager.execute(LDAPOperationManager.java:535)
>>
>> at
>> org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.
>>
>> modifyAttributes(LDAPOperationManager.java:402)
>>
>> ... 59 more
>>
>> 2017-03-08 11:05:28,865 WARN
>> [org.keycloak.events] (default task-6)
>>
>> type=LOGIN_ERROR, realmId=myrealm,
>> clientId=teste-portal, userId=null,
>> ipAddress=xxx.xxx.xxx.xxx,
>> error=invalid_user_credentials,
>> auth_method=openid-connect, auth_type=code,
>> redirect_uri=http://127.0.0.1:
>> 8080/teste-portal/
>>
>>
>> and then, I got this result in my ldap:
>>
>> dn: uid=11111111111,dc=zz,dc=dd,dc=aa
>>
>> givenName:: IA==
>>
>> uid: 11111111111
>>
>> objectClass: top
>>
>> objectClass: inetOrgPerson
>>
>> objectClass: person
>>
>> objectClass: organizationalPerson
>>
>> objectClass: phpgwAccount
>>
>> objectClass: shadowAccount
>>
>> sn:: IA==
>>
>> cn:: IA==
>>
>> structuralObjectClass: inetOrgPerson
>>
>> entryUUID: 07f0e7caxxxxxxxxxxx
>>
>> creatorsName: cn=admin,dc=zz,dc=dd,dc=aa
>>
>> createTimestamp: 20170308140529Z
>>
>> entryCSN: 20170308140529.527857Z#000000#000#000000
>>
>> modifiersName: cn=admin,dc=zz,dc=dd,dc=aa
>>
>> modifyTimestamp: 20170308140529Z
>>
>>
>> So, I wrote the uid as 11111111111, but I didn't
>> set the sn, cn and
>> givenName as 'IA=='. It looks like some problem
>> occurs in my configuration.
>>
>> please, need help!!
>>
>>
>> Best Regards,
>>
>>
>>
>>
>>
>> --
>> ---
>> *Celso Agra*
>>
>>
>>
>>
>> --
>> ---
>> *Celso Agra*
>
>
>
>
>
> --
> ---
> *Celso Agra*
>
>
>
>
> --
> ---
> *Celso Agra*
More information about the keycloak-user
mailing list