<div dir="ltr">Ok, I think I understand. I tried 'sync all users' and got an error. Is this because applications is a multiple<div>attribute? Obviously I will probably have access to more than one application. In the meantime I'll try a brand </div><div>new user and see if that works.<br><div><br></div><div>Log shows:<div><br></div><div><div>2015-06-19 14:19:26,361 INFO [org.keycloak.federation.ldap.LDAPFederationProviderFactory] (default task-2) Sync all users from LDAP to local store: realm: master, federation provider: PI ordinary users</div><div>2015-06-19 14:19:26,611 ERROR [io.undertow.request] (default task-2) UT005023: Exception handling request to /auth/admin/realms/master/user-federation/instances/141db483-1f5c-412f-acbb-0ea642015798/sync: java.lang.RuntimeException: request path: /auth/admin/realms/master/user-federation/instances/141db483-1f5c-412f-acbb-0ea642015798/sync</div><div> at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:54)</div><div> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)</div><div> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)</div><div> at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)</div><div> at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)</div><div> at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)</div><div> at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)</div><div> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</div><div> at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)</div><div> at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)</div><div> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</div><div> at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)</div><div> at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)</div><div> at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)</div><div> at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72)</div><div> at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)</div><div> at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)</div><div> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</div><div> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)</div><div> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</div><div> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</div><div> at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:274)</div><div> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:253)</div><div> at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)</div><div> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172)</div><div> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)</div><div> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)</div><div> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)</div><div> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)</div><div> at java.lang.Thread.run(Thread.java:745)</div><div>Caused by: org.jboss.resteasy.spi.UnhandledException: java.lang.ClassCastException: java.util.TreeSet cannot be cast to java.lang.String</div><div> at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)</div><div> at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)</div><div> at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149)</div><div> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)</div><div> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)</div><div> at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)</div><div> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)</div><div> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)</div><div> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)</div><div> at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)</div><div> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)</div><div> at org.keycloak.services.filters.ClientConnectionFilter.doFilter(ClientConnectionFilter.java:41)</div><div> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)</div><div> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)</div><div> at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:40)</div><div> ... 29 more</div><div>Caused by: java.lang.ClassCastException: java.util.TreeSet cannot be cast to java.lang.String</div><div> at org.keycloak.federation.ldap.mappers.UserAttributeLDAPFederationMapper.onImportUserFromLDAP(UserAttributeLDAPFederationMapper.java:60)</div><div> at org.keycloak.federation.ldap.LDAPFederationProvider.importLDAPUsers(LDAPFederationProvider.java:404)</div><div> at org.keycloak.federation.ldap.LDAPFederationProviderFactory.importLdapUsers(LDAPFederationProviderFactory.java:269)</div><div> at org.keycloak.federation.ldap.LDAPFederationProviderFactory$1.run(LDAPFederationProviderFactory.java:223)</div><div> at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:241)</div><div> at org.keycloak.federation.ldap.LDAPFederationProviderFactory.syncImpl(LDAPFederationProviderFactory.java:219)</div><div> at org.keycloak.federation.ldap.LDAPFederationProviderFactory.syncAllUsers(LDAPFederationProviderFactory.java:177)</div><div> at org.keycloak.services.managers.UsersSyncManager.syncAllUsers(UsersSyncManager.java:50)</div><div> at org.keycloak.services.resources.admin.UserFederationProviderResource.syncUsers(UserFederationProviderResource.java:144)</div><div> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)</div><div> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)</div><div> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)</div><div> at java.lang.reflect.Method.invoke(Method.java:497)</div><div> at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)</div><div> at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)</div><div> at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)</div><div> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)</div><div> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)</div><div> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)</div><div> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)</div><div> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)</div><div> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)</div><div> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)</div><div> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)</div><div> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)</div><div> ... 40 more</div></div><div><br></div></div></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><font color="#000000"><b>Kevin Thorpe<br></b></font></div>
<div>CTO<br></div>
<div><br>
</div>
<div><a href="https://www.p-i.net/" target="_blank"><img src="cid:part1.09070200.07040105@p-i.net"></a> <a href="https://twitter.com/@PI_150" target="_blank"><img src="cid:part3.05090201.04050806@p-i.net"></a><br>
</div>
<div><br>
</div>
<div><a href="http://www.p-i.net/" target="_blank">www.p-i.net</a> | <a href="https://twitter.com/@PI_150" target="_blank">@PI_150</a><br>
</div>
<div><span style="color:rgb(81,81,81)"><br>
</span></div>
<div><span style="color:rgb(81,81,81)">M: <a value="+447921676683">+44 (0)7425 160 368</a> | T: <a value="+442030056750">+44 (0)203 005 6750</a> |
F: <a value="+442077302635">+44(0)207 730 2635</a></span><br>
</div>
<div><font color="#515151">150
Buckingham Palace Road, </font><span style="color:rgb(81,81,81)">London, SW1W 9TR, UK</span></div>
<div><br><b><span style="color:rgb(11,83,148)"> <img src="https://clients.p-i.net/documents/11003/1116416/BSI-UKAS.logo.jpg/81028530-5f84-4598-825b-f6465a83bae1?t=1416563040000"> <img src="https://clients.p-i.net/documents/11003/1116416/ISO27001-2013.logo.jpeg/145aebe0-c393-49d7-8e1d-44c3c4d451dc?t=1416563040000"> <img src="https://clients.p-i.net/documents/11003/1116416/QMS.logo.jpeg/3925220d-bdad-40c3-b284-102c365c7b85?t=1416563040000" height="36" width="64"><img src="https://clients.p-i.net/documents/11003/1116416/pci.png/773a04d4-f6ce-4b7a-8a22-818f518f0459?t=1421160152000" height="44" width="116"></span></b></div>
<div><font size="1">_____________________________ </font></div>
<p><font size="1">This email and any files transmitted with it
are confidential and intended solely for the use of the
individual or entity to whom they are addressed. If you
have received this email in error please notify the system
manager. This message contains confidential information
and is intended only for the individual named. If you are
not the named addressee you should not disseminate,
distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by
mistake and delete this e-mail from your system. If you
are not the intended recipient you are notified that
disclosing, copying, distributing or taking any action in
reliance on the contents of this information is strictly
prohibited.</font></p><p><b>"<span style="color:rgb(11,83,148)"><font>SAVE PAPER - THINK BEFORE YOU PRINT!</font></span>" </b></p></div></div></div></div></div>
<br><div class="gmail_quote">On 19 June 2015 at 13:50, Marek Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Thanks for the info. Now I think I know
what's going on.<br>
<br>
The issue is that currently when we import users from LDAP
(federation in general), we sync the configured attributes to the
Keycloak DB. But during searching, we don't sync the attributes
from LDAP to Keycloak DB anymore. So I guess you did the steps
like this:<br>
- You first authenticate as LDAP user "joe" (or search this user
from admin console), which imported this user into Keycloak DB<br>
- Then you created mapper for the 'applications' attribute. But
user 'joe' was already imported into Keycloak DB from the previous
step, right?<br>
<br>
I believe that when you import some other user from LDAP, which is
not yet exist in Keycloak DB, the 'applications' attribute will be
there. For the existing user, the only possibility right now is to
use "Synchronize all users" or "Synchronize changed users" on LDAP
federation screen. This will update existing users into Keycloak
DB as well, so 'joe' will be updated.<br>
<br>
Please let me know if it helps. Looks that it's something we
should address better in Keycloak.<span class="HOEnZb"><font color="#888888"><br>
<br>
Marek</font></span><div><div class="h5"><br>
<br>
On 19.6.2015 11:56, Kevin Thorpe wrote:<br>
</div></div></div><div><div class="h5">
<blockquote type="cite">
<div dir="ltr">I had a hunch so I added a record in USER_ATTRIBUTE
for applications and it is getting passed
<div>in the JWT claims now. That squarely points at the ldap
federation part.</div>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div><font color="#000000"><b>Kevin Thorpe<br>
</b></font></div>
<div>CTO<br>
</div>
<div><br>
</div>
<div><a href="https://www.p-i.net/" target="_blank"><img src="cid:part1.05090500.04090908@redhat.com"></a>
<a href="https://twitter.com/@PI_150" target="_blank"><img src="cid:part3.01020901.00040101@redhat.com"></a><br>
</div>
<div><br>
</div>
<div><a href="http://www.p-i.net/" target="_blank">www.p-i.net</a> | <a href="https://twitter.com/@PI_150" target="_blank">@PI_150</a><br>
</div>
<div><span style="color:rgb(81,81,81)"><br>
</span></div>
<div><span style="color:rgb(81,81,81)">M: <a value="+447921676683">+44
(0)7425 160 368</a> | T: <a value="+442030056750">+44
(0)203 005 6750</a> | F: <a value="+442077302635">+44(0)207
730 2635</a></span><br>
</div>
<div><font color="#515151">150 Buckingham Palace
Road, </font><span style="color:rgb(81,81,81)">London,
SW1W 9TR, UK</span></div>
<div><br>
<b><span style="color:rgb(11,83,148)"> <img>
<img>
<img height="36" width="64"><img height="44" width="116"></span></b></div>
<div><font size="1">_____________________________ </font></div>
<p><font size="1">This email and any files transmitted
with it are confidential and intended solely for
the use of the individual or entity to whom they
are addressed. If you have received this email in
error please notify the system manager. This
message contains confidential information and is
intended only for the individual named. If you are
not the named addressee you should not
disseminate, distribute or copy this e-mail.
Please notify the sender immediately by e-mail if
you have received this e-mail by mistake and
delete this e-mail from your system. If you are
not the intended recipient you are notified that
disclosing, copying, distributing or taking any
action in reliance on the contents of this
information is strictly prohibited.</font></p>
<p><b>"<span style="color:rgb(11,83,148)"><font>SAVE
PAPER - THINK BEFORE YOU PRINT!</font></span>"
</b></p>
</div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">On 19 June 2015 at 10:42, Kevin Thorpe
<span dir="ltr"><<a href="mailto:kevin.thorpe@p-i.net" target="_blank">kevin.thorpe@p-i.net</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Hi Marek, thanks for the quick reply.
<div><br>
</div>
<div>1. I am definitely sure that the attributes I need
are in the LDAP record.</div>
<div><br>
</div>
<div>2. adding trace to federation.ldap shows my mapped
attributes being read</div>
<div><br>
</div>
<div>3. there is no USER_ATTRIBUTES table I'm assuming you
meant USER_ATTRIBUTE but it doesn't have my attributes.</div>
<div> it does have a reference to my LDAP_ID so i8t
looks like it should be here</div>
<div><br>
</div>
<div>
<div>MariaDB [keycloak]> select * from
USER_ATTRIBUTE;</div>
<div><font face="monospace, monospace">+---------+-------------------------------------+--------------------------------------+</font></div>
<div><font face="monospace, monospace">| NAME | VALUE
| USER_ID
|</font></div>
<div><font face="monospace, monospace">+---------+-------------------------------------+--------------------------------------+</font></div>
<div><font face="monospace, monospace">| LDAP_ID |
7fc89601-96e711e2-a5a7b2a9-738d4470 |
471f0b4f-cb7c-4610-b3d6-ddd3a18e9986 |</font></div>
<div><font face="monospace, monospace">| LDAP_ID |
3245fc81-55c211e2-a5a7b2a9-738d4470 |
6d64f5a2-d356-4ab6-9b4d-3f89a3ee38c4 |</font></div>
<div><font face="monospace, monospace">+---------+-------------------------------------+--------------------------------------+</font></div>
</div>
<div><br>
</div>
<div>thanks for your time on this</div>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div><font color="#000000"><b>Kevin Thorpe<br>
</b></font></div>
<div>CTO<br>
</div>
<div><br>
</div>
<div><a href="https://www.p-i.net/" target="_blank"><img src="cid:part1.05090500.04090908@redhat.com"></a> <a href="https://twitter.com/@PI_150" target="_blank"><img src="cid:part3.01020901.00040101@redhat.com"></a><br>
</div>
<div><br>
</div>
<div><a href="http://www.p-i.net/" target="_blank">www.p-i.net</a> | <a href="https://twitter.com/@PI_150" target="_blank">@PI_150</a><br>
</div>
<div><span style="color:rgb(81,81,81)"><br>
</span></div>
<div><span style="color:rgb(81,81,81)">M: <a value="+447921676683">+44 (0)7425 160 368</a>
| T: <a value="+442030056750">+44 (0)203 005 6750</a>
| F: <a value="+442077302635">+44(0)207 730 2635</a></span><br>
</div>
<div><font color="#515151">150 Buckingham Palace
Road, </font><span style="color:rgb(81,81,81)">London, SW1W
9TR, UK</span></div>
<div><br>
<b><span style="color:rgb(11,83,148)"> <img>
<img>
<img height="36" width="64"><img height="44" width="116"></span></b></div>
<div><font size="1">_____________________________ </font></div>
<p><font size="1">This email and any files
transmitted with it are confidential and
intended solely for the use of the
individual or entity to whom they are
addressed. If you have received this email
in error please notify the system manager.
This message contains confidential
information and is intended only for the
individual named. If you are not the named
addressee you should not disseminate,
distribute or copy this e-mail. Please
notify the sender immediately by e-mail if
you have received this e-mail by mistake and
delete this e-mail from your system. If you
are not the intended recipient you are
notified that disclosing, copying,
distributing or taking any action in
reliance on the contents of this information
is strictly prohibited.</font></p>
<p><b>"<span style="color:rgb(11,83,148)"><font>SAVE
PAPER - THINK BEFORE YOU PRINT!</font></span>"
</b></p>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<br>
<div class="gmail_quote">On 19 June 2015 at 10:15,
Marek Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>There are few steps here and the result
will work only if all steps success. So it
might help to try which step could be wrong
here:<br>
<br>
1) You can doublecheck if your user really has
'applications' attribute in LDAP<br>
<br>
2) If (1) is ok, you can enable TRACE logging
for "org.keycloak.federation.ldap" category in
standalone.xml . With it, you should see some
trace messages with the names and values of
all LDAP attributes, which are loaded in user
record. You should see the 'applications'
attribute loaded<br>
<br>
3) If (2) is ok, you can browse keycloak
database and check if attribute 'applications'
is really here. The user attributes are saved
in table USER_ATTRIBUTES. Currently it's not
possible to browse user attributes generically
in admin console (unless you do custom theme)
so browse DB seems to be the only possibility.<br>
<br>
4) If (3) is ok, the issue is not in LDAP
interaction, but in protocol mapper
configuration. Make sure you use correct
protocol mapper (In your case it should be
"User attributes" mapper, not "User property"
mapper). Also if your application is Java
based, the value of 'applications' claim is
saved in accessToken in 'otherClaims' map and
can be retrieved with something like:
accessToken.getOtherClaims().get("applications");<br>
<br>
Marek
<div>
<div><br>
<br>
<br>
On 18.6.2015 17:50, Kevin Thorpe wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div>
<div dir="ltr">
<div>Thanks to the team for 1.3.1. We
were eagerly waiting for that to add
LDAP attribute mappings which I see
has now been done. Unfortunately I
can't seem to get it to work.</div>
<div><br>
</div>
<div>I have added a user attribute
mapper to my ldap federation. This
maps the LDAP atribute 'applications'
which exists on my LDAP user record to
'applications' in Keycloak. </div>
<div><br>
</div>
<div>I have also added a user attribute
token mapper to my Keycloak client
definition to map user attribute
'applications' to token claim
'applications'. I've also asked to add
to both id and access token.</div>
<div><br>
</div>
<div>However this attribute is not
present in either the ID or access
token when testing. Is there something
I've missed? </div>
<div><br>
</div>
<div>Something that may be an issue
though is that I'm using a home
written openid-connect Lua client
based on your javascript one. This
uses the endpoint
/auth/realms/master/protocol/openid-connect/token.
Is it that the openid-connect endpoint
doesn't support these attributes yet?</div>
<br clear="all">
<div>
<div>
<div dir="ltr">
<div dir="ltr">
<div><font color="#000000"><b>Kevin
Thorpe<br>
</b></font></div>
<div>CTO, PI ltd<br>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<pre>_______________________________________________
keycloak-user mailing list
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br></div>