[keycloak-user] Why duplicate records found for user?
Marek Posolda
mposolda at redhat.com
Wed Mar 27 15:24:31 EDT 2019
On 27/03/2019 20:19, Marek Posolda wrote:
> On 27/03/2019 19:52, Ryan Slominski wrote:
>> I found some clues by enabling TRACE logging:
>>
>>
>> ./jboss-cli.sh --connect
>> /subsystem=logging/logger=org.keycloak/:add(category=org.keycloak,level=TRACE)
>>
>>
>> I then tailed the log file while performing user search. I see that
>> two LDAP queries are executed. The first one is look for user by
>> ID. The second one is look for user by lastname.
> Yes, you're right. Our current implementation of searching users from
> admin console is trying to lookup users from LDAP based on username
> and lastName. We plan some improvements in admin console around
> searching users(which will include the ability to specify if you want
> to search by username, email, fullName etc rather than having single
> field when you can't specify attributes at all).
>> What it means is if you have a user who's username and lastname are
>> identical then they show up twice in Keycloak admin web console user
>> search. The logging looks like:
>
> I don't think so. It can happen that same user with username "foo" and
> lastName "foo" will be found twice in LDAP due the both queries you
> pointed, however he will be show just once in the admin console.
>
> Marek
Reading your JIRA where you mentioned that you indeed see duplicated
results in the admin console. So it looks I was wrong...
I guess you have "Import users" disabled? Could you please check with
"Import users" enabled if you see this behaviour?
Thanks,
Marek
>
>>
>> ...
>> LdapOperation: lookupById
>> baseDN: cn=users,cn=accounts,dc=acc,dc=jlab,dc=org
>> filter: (&(objectClass=*)(uid=cuffe))
>> searchScope: 1
>> returningAttrs: [uid, givenName, mail, sn, createTimestamp,
>> modifyTimestamp]
>> took: 61 ms
>>
>> ....
>>
>> LdapOperation: search
>> baseDn: cn=users,cn=accounts,dc=acc,dc=jlab,dc=org
>> filter:
>> (&(sn=cuffe)(objectclass=inetOrgPerson)(objectclass=organizationalPerson))
>> searchScope: 1
>> returningAttrs: [uid, givenName, mail, sn, createTimestamp,
>> modifyTimestamp]
>> resultSize: 1
>> took: 50 ms
>> ...
>>
>>
>> I Created an issue ticket:
>> https://issues.jboss.org/browse/KEYCLOAK-9926
>>
>> ________________________________
>> From: Ryan Slominski
>> Sent: Wednesday, March 27, 2019 1:07 PM
>> To: keycloak-user
>> Subject: Why duplicate records found for user?
>>
>> I've noticed this behavior with both Keycloak 4.1.0 and Keycloak
>> 5.0.0: when using admin web interface "Users" search duplicate
>> records are found for some users. What could possibly be causing this?
>>
>> I've tried clearing all caches from (Realm Settings > Cache) and I've
>> tried removing imported users (User Federation > ldap storage
>> provider > "Remove Imported" button). Still seeing duplicates for
>> some users. Weird. I've got UUID LDAP attribute set to nsuinqueid
>> with keycloak 4.1.0 and to uid with keycloak 5.0.0 (both pointing to
>> same Red Hat Identity Manager instance). Duplicate users don't seem
>> to be duplicated in LDAP. Maybe group-ldap-mapper is doing something
>> weird? Is this due to Brokered Identities? Or is this just a bug?
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
More information about the keycloak-user
mailing list