[keycloak-user] Creating new user throws error when using AWS Simple AD
Robin Kearney
robin at kearney.co.uk
Wed Oct 17 17:06:23 EDT 2018
Hi,
I've got Keycloak 4.5.0.Final setup to talk to an AWS instance of
their Simple AD - which is Samba 4 behind the scenes. Connectivity and
authentication works ok, as does the initial sync all users.
However, when I create a new user through Keycloak, I get an error
"Error! Could not create user" in the UI and the following logs:
keycloak_1 | 20:45:52,571 WARN
[org.keycloak.services.resources.admin.UsersResource] (default
task-17) Could not create user: org.keycloak.models.ModelException:
Could not modify attribute for DN
[cn=example12,CN=Users,DC=ad,DC=example,DC=com]
keycloak_1 | Caused by: javax.naming.NameNotFoundException: [LDAP:
error code 32 - 00002030: No such Base DN:
cn=example12,CN=Users,DC=ad,DC=example,DC=com]; remaining name
'cn=example12,CN=Users,DC=ad,DC=example,DC=com'
The full stack trace is here
https://gist.githubusercontent.com/rk295/a8ada3cd79212e73d2e55215e4d53e34/raw/37aac21a5c7dd3d3423aa9ae2456068c2c1170ec/keycloak-error.log
What is interesting is the user is created successfully in LDAP.
ldif https://gist.githubusercontent.com/rk295/0bde9a03f057dea09ea08f7f0050785e/raw/7dc63b208d95dc2160ed8cdbed87d55e52fb4b53/key-example.ldiff
However in this ldif, is the following fields show "IA==" rather than
the value I entered (example12 in both cases)
sn:: IA==
givenName:: IA==
I have both the firstname and lastname mappers setup to map the
following fields:
usermodel attribute firstName -> ldap givenName
usermodel attribute lastName -> ldap sn
Both setup with RO false, always read from LDAP true, is mandatory
true, is binary false.
If I hit the button to resync changed (or all) users, the user shows
in the Keycloak admin, but the fields above missing.
Hope somebody can help!
r.
More information about the keycloak-user
mailing list