[keycloak-user] Why duplicate records found for user?
Ryan Slominski
ryans at jlab.org
Wed Mar 27 14:52:24 EDT 2019
I found some clues by enabling TRACE logging:
./jboss-cli.sh --connect
/subsystem=logging/logger=org.keycloak/:add(category=org.keycloak,level=TRACE)
I then tailed the log file while performing user search. I see that two LDAP queries are executed. The first one is look for user by ID. The second one is look for user by lastname. What it means is if you have a user who's username and lastname are identical then they show up twice in Keycloak admin web console user search. The logging looks like:
...
LdapOperation: lookupById
baseDN: cn=users,cn=accounts,dc=acc,dc=jlab,dc=org
filter: (&(objectClass=*)(uid=cuffe))
searchScope: 1
returningAttrs: [uid, givenName, mail, sn, createTimestamp, modifyTimestamp]
took: 61 ms
....
LdapOperation: search
baseDn: cn=users,cn=accounts,dc=acc,dc=jlab,dc=org
filter: (&(sn=cuffe)(objectclass=inetOrgPerson)(objectclass=organizationalPerson))
searchScope: 1
returningAttrs: [uid, givenName, mail, sn, createTimestamp, modifyTimestamp]
resultSize: 1
took: 50 ms
...
I Created an issue ticket:
https://issues.jboss.org/browse/KEYCLOAK-9926
________________________________
From: Ryan Slominski
Sent: Wednesday, March 27, 2019 1:07 PM
To: keycloak-user
Subject: Why duplicate records found for user?
I've noticed this behavior with both Keycloak 4.1.0 and Keycloak 5.0.0: when using admin web interface "Users" search duplicate records are found for some users. What could possibly be causing this?
I've tried clearing all caches from (Realm Settings > Cache) and I've tried removing imported users (User Federation > ldap storage provider > "Remove Imported" button). Still seeing duplicates for some users. Weird. I've got UUID LDAP attribute set to nsuinqueid with keycloak 4.1.0 and to uid with keycloak 5.0.0 (both pointing to same Red Hat Identity Manager instance). Duplicate users don't seem to be duplicated in LDAP. Maybe group-ldap-mapper is doing something weird? Is this due to Brokered Identities? Or is this just a bug?
More information about the keycloak-user
mailing list