Re: [keycloak-user] Why duplicate records found for user?

On 27/03/2019 19:52, Ryan Slominski wrote: > I found some clues by enabling TRACE logging: > > > ./jboss-cli.sh --connect > /subsystem=logging/logger=org.keycloak/:add(category=org.keycloak,level=TRACE) > > > I then tailed the log file while performing user search.  I see that > two LDAP queries are executed.  The first one is look for user by > ID.  The second one is look for user by lastname. Yes, you're right. Our current implementation of searching users from admin console is trying to lookup users from LDAP based on username and lastName. We plan some improvements in admin console around searching users(which will include the ability to specify if you want to search by username, email, fullName etc rather than having single field when you can't specify attributes at all). > What it means is if you have a user who's username and lastname are > identical then they show up twice in Keycloak admin web console user > search.  The logging looks like: I don't think so. It can happen that same user with username "foo" and lastName "foo" will be found twice in LDAP due the both queries you pointed, however he will be show just once in the admin console. Marek

> > ... > LdapOperation: lookupById >   baseDN: cn=users,cn=accounts,dc=acc,dc=jlab,dc=org >   filter: (&(objectClass=*)(uid=cuffe)) >   searchScope: 1 >   returningAttrs: [uid, givenName, mail, sn, createTimestamp, > modifyTimestamp] > took: 61 ms > > .... > > LdapOperation: search >   baseDn: cn=users,cn=accounts,dc=acc,dc=jlab,dc=org >   filter: > (&(sn=cuffe)(objectclass=inetOrgPerson)(objectclass=organizationalPerson)) >   searchScope: 1 >   returningAttrs: [uid, givenName, mail, sn, createTimestamp, > modifyTimestamp] >   resultSize: 1 > took: 50 ms > ... > > > I Created an issue ticket: > https://issues.jboss.org/browse/KEYCLOAK-9926 > > ________________________________ > From: Ryan Slominski > Sent: Wednesday, March 27, 2019 1:07 PM > To: keycloak-user > Subject: Why duplicate records found for user? > > I've noticed this behavior with both Keycloak 4.1.0 and Keycloak > 5.0.0: when using admin web interface "Users" search duplicate > records are found for some users.   What could possibly be causing this? > > I've tried clearing all caches from (Realm Settings > Cache) and I've > tried removing imported users (User Federation > ldap storage > provider > "Remove Imported" button).  Still seeing duplicates for > some users.  Weird.  I've got UUID LDAP attribute set to nsuinqueid > with keycloak 4.1.0 and to uid with keycloak 5.0.0 (both pointing to > same Red Hat Identity Manager instance).  Duplicate users don't seem > to be duplicated in LDAP.  Maybe group-ldap-mapper is doing something > weird?  Is this due to Brokered Identities?  Or is this just a bug? > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user