It seems as mis-configuration of the federation provider. You didn't
finish the logging line from SPNEGOAuthenticator and the value of srcName
On 12/10/16 13:20, Daniela.Weil(a)itzbund.de wrote:
Dear All,
I installed keycloak 2.2.1 Final, added a new realm with an openLDAP federation provider
with Kerberos integration.
The "username LDAP attribute" I set to the ldap attribute (bfvNovellLogin) that
contains the Kerberos username. The "UUID LDAP attribute" is set to the
"uid" attribute.
Kerberos auth succeeded:
2016-10-12 10:23:42,363 DEBUG [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator]
(default task-3) SPNEGO Security context accepted with token:
oRQwEqADCgEAoQsGCSqGSIb3EgECAg==, established: true, credDelegState: false,
mutualAuthState: false, lifetime: 2147483647, confState: true, integState: true, ....
You didn't finish this logging line from SPNEGOAuthenticator and the
value of "srcName", which is next in the logging message, is the most
important one :-)
However I guess this name was "dweil" right? And LDAP is later looking
for username "WeiDayq", so there are 2 different usernames but same email...
It seems like the mis-configuration of the LDAP federation providers
and/or mappers. Is the "username LDAP attribute" configured to same
value like the LDAP attribute in the username mapper?
Marek
2016-10-12 10:23:42,364 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession]
(default task-3) getUserByUsername: WeiDayq
The LDAP object could be created:
2016-10-12 10:23:42,515 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore] (default task-3) Found
ldap object and populated with the attributes. LDAP Object: LDAP Object [ dn:
uid=dweil,ou=mitarbeiter,ou=personen,dc=bfinv,dc=de , uuid: dweil, attributes:
{uid=[dweil], bfvNovellLogin=[WeiDayq], mail=[daniela.weil(a)zivit.de], bfvDstnr=[1481],
sn=[Weil], cn=[Daniela Weil], modifyTimestamp=[20130308075833Z],
createTimestamp=[20070704114832Z]}, readOnly attribute names: [sn, bfvdstnr,
bfvnovelllogin, mail, uid, modifytimestamp, cn, createtimestamp] ]
So far no users are in the keycloak datastore.
On mapping the email attribute the user "dweil" is not recognized as the
formerly by Kerberos authenticated user "weidayq":
2016-10-12 10:23:42,765 TRACE [org.keycloak.federation.ldap.LDAPFederationProvider]
(default task-3) Using mapper { name=DStNummer,
federationMapperType=user-attribute-ldap-mapper,
config={always.read.value.from.ldap=false, read.only=true, ldap.attribute=bfvDstnr,
is.mandatory.in.ldap=false, user.model.attribute=DstNr} } during import user from LDAP
2016-10-12 10:23:42,769 TRACE [org.keycloak.federation.ldap.LDAPFederationProvider]
(default task-3) Using mapper { name=email,
federationMapperType=user-attribute-ldap-mapper,
config={always.read.value.from.ldap=false, read.only=true, ldap.attribute=mail,
is.mandatory.in.ldap=false, user.model.attribute=email} } during import user from LDAP
2016-10-12 10:23:42,806 DEBUG [org.keycloak.services] (default task-3) KC-SERVICES0013:
Failed authentication: org.keycloak.models.ModelDuplicateException: Can't import user
'weidayq' from LDAP because email 'daniela.weil(a)zivit.de' already exists
in Keycloak. Existing user with this email is 'dweil'
at
org.keycloak.federation.ldap.mappers.UserAttributeLDAPFederationMapper.checkDuplicateEmail(UserAttributeLDAPFederationMapper.java:168)
at
org.keycloak.federation.ldap.mappers.UserAttributeLDAPFederationMapper.onImportUserFromLDAP(UserAttributeLDAPFederationMapper.java:100)
at
org.keycloak.federation.ldap.mappers.LDAPFederationMapperBridge.onImportUserFromLDAP(LDAPFederationMapperBridge.java:61)
at
org.keycloak.federation.ldap.LDAPFederationProvider.importUserFromLDAP(LDAPFederationProvider.java:327)
at
org.keycloak.federation.ldap.LDAPFederationProvider.getUserByUsername(LDAPFederationProvider.java:310)
at
org.keycloak.federation.ldap.LDAPFederationProvider.findOrCreateAuthenticatedUser(LDAPFederationProvider.java:499)
at
org.keycloak.federation.ldap.LDAPFederationProvider.validCredentials(LDAPFederationProvider.java:443)
at
org.keycloak.models.UserFederationManager.validCredentials(UserFederationManager.java:595)
at
org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:89).....
Why does keycloak assume that my one and only user is two different users (having a
different Id)?
Kind Regards,
Daniela Weil
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user