Can we distinguish between 'new account' and 'password reset' in the emails?
by Kevin Thorpe
Hi, not sure if this is possible or if it's a feature request.
When we add a new user to our Keycloak database we set them up and send a
'reset action email'. This is to comply with our policies that we never
send passwords via e-mail. Is there any way in the email template to detect
if this is a new user or a true password reset? Maybe by checking if
they've never logged in. We would like the e-mail to read differently to
welcome them as a new user,
On a slightly different point can we define the redirect location after a
password reset? The reset as it is now works but leaves the user on the
Keycloak site, not the site they were expecting to gain access to.
Kevin Thorpe
*VP Enterprise Platform*
w: www.p-i.net
p: *+44 (0)20 3005 6750 <+44%2020%203005%206750>*
a: 7th Floor, 52 Grosvenor Gardens, London SW1W 0AU
<https://twitter.com/pidataanalytics>
<https://www.linkedin.com/company/piltd>
_________________________________________________________
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited
7 years, 3 months
Impersonation not working from REST calls?
by David Delbecq
Hello,
i have some issues to get impersonation to work in my webapp. There is a
feature in web for an admin to show all business data and accounts, select
one account and become that user.
Scenario 1) i connect as user davidd to
<keycloak>/auth/admin/<realm>/console. I select the user I want to
impersonate, click on impersonate. Browser request sniffing show a REST
call: POST:
<keycloak>/auth/admin/<realm>/TrimbleTL/users/4f568e43-89d3-4224-a908-aefe71383c82/impersonation
followed by loading of account profile page of that user
Scenario 2) I connect to my app as davidd. I select the user i want to
become and start the impersonation process. My webapp first call
/kc_query_bearer_token to get a token, then calls using xmlhttprequest
<keycloak>/auth/admin/<realm>/TrimbleTL/users/4f568e43-89d3-4224-a908-aefe71383c82/impersonation
setting Bearer token in header, and same payload as in (1). I get an HTTP
OK reply from keycloak. I then go to the root of my webapp and am
redirected to login screen. My admin user was thus correctly logged out,
but the new user is not set up for some reason.
What am i missing to get impersonation to work from my webapp? Should i
extract cookies from reply and put them in my own domain for example?
--
<http://www.trimble.com/>
David Delbecq
Software engineer, Transport & Logistics
Geldenaaksebaan 329, 1st floor | 3001 Leuven
+32 16 391 121 <+32%2016%20391%20121> Direct
david.delbecq(a)trimbletl.com
<http://www.trimbletl.com/>
7 years, 3 months
custom providers
by Patrycja Vrebos
Hi Keycloak users,
I am new to keycloak.
With my team we are using Red Hat Single Sign-On 7.0 with Keycloak 1.9.8.
I need to customize this a little bit. We support diffrent languages and
actually some message are not display us we want.
For example message in Racaptcha is not in language as expected.
I found example how to register Google Recaptcha and how to add validation
of form elements on the page:
*https://keycloak.gitbooks.io/server-developer-guide/content/topics/auth-spi.html
<https://keycloak.gitbooks.io/server-developer-guide/content/topics/auth-s...>*
So I suppose if I will register my own Recaptcha I will can specify message
I want to display.
As written I need to deploy my jar (j*ust copy it to the
standalone/configuration/providers directory*)
First, I didn't find *providers *directory in configuration so I created
one where I copied my jar and I restarted my server. Then I tried to add my
FormAction to the registration Flow but I don't see any diffrence in admin
console. I mean I don't think my jar was deployed( I new to jboss)
I found there also another way to deploy jar: *throw jar in Keycloak deploy
directiry* but I don't understand what is meant by the "Keycloak deploy/
directory" mentioned in the documentation.
Another change I want to do is: in reset password page add email
validation.
I found some example. *Keycloak is designed to cover most use-cases
without requiring custom code, but we also want it to be customizable. To
achive this **Keycloak has a number of Service Provider Interfaces (SPI)
which you can implement your own providers for*.
Could you please recommend one which I should implement for this goal.
I will appreciate any help.
Best regards,
Patrycja
7 years, 3 months
SAML Assertion Signature Algorithm Validation
by Gabriel Lavoie
Hi,
I'm currently testing different SAML signature algorithms with our
application and I noticed that regardless of the chosen signature algorithm
for a SAML client, Keycloak will accept assertions signed with another
algorithm (ex: KC signs with SHA256 but accepts SHA1 from the SP).
With many other IdPs, when a signature algorithm is chosen, there's a
validation that the same algorithm is used in both directions. I think this
is something that Keycloak should do too as a security measure. Can this be
done right now or an enhancement request would be required?
Thanks,
--
Gabriel Lavoie
glavoie(a)gmail.com
7 years, 3 months
SAML Binding - ECP Profile
by Jason B
Hi,
I am trying to work on SAML ECP profile. According to Keycloak's server
administration documentation this SAML binding is supported. But when I
configure IdP/SSO in metadata I am not seeing any description/meta specific
to ECP binding. Any documentation available on how to use ECP profile in
Keycloak?
Also, while testing IdP initiated SSO/ SP initiated SSO,how can I inform
Keycloak to use specific binding? Is there any query string parameter
available that I can use?
Thanks!
7 years, 3 months
Keycloak LDAP configuration - deletes ldap user from Keycloak
by Mustafa Kuru
Hi,
We are using ldap Federation Provider in READONLY Edit Mode.
I saw in Keycloak logs a lot of exceptions like
"*Could not query server using DN*"
(javax.naming.ServiceUnavailableException)
OR
"*LDAP: error code 52 - Proxy can't contact remote server*".
In our case some ldap users were deleted from Keycloak and reimported into
Keycloak from LDAP. We don't know why.
Can these exceptions above cause this problem. Or what is the behaviour of
Keycloak if it can not connect to ldap or gets empty response from ldap?
Delete corresponding user from Keycloak?
Thanks in advance.
Mustafa Kuru
7 years, 3 months
Connection Reset using LDAPS
by Thomas Barcia
In my Keycloak 2.2.1 environment we see continuous yet erratic errors in connecting to AD via LDAPS. For example, if I search for a user I may get a general server error and then click search again and receive results.
I tried adding the following to the startup:
-Djdk.tls.client.protocols=TLSv1
Based on an article regarding java8 and AD but it does not appear to have made any difference.
The error:
14:56:20,143 ERROR [org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default task-21) Could not query server using DN [OU=redacted,DC= redacted,DC=com] and filter [(&(UserPrincipalName=limttestio)(objectclass=person)(objectclass=organizationalPerson)(objectclass=user))]: javax.naming.CommunicationException: simple bind failed: <ldap servername>:636 [Root exception is java.net.SocketException: Connection reset]
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2788)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
at org.jboss.as.naming.InitialContext.getDefaultInitCtx(InitialContext.java:114)
at org.jboss.as.naming.InitialContext.init(InitialContext.java:99)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
at org.jboss.as.naming.InitialContext.<init>(InitialContext.java:89)
at org.jboss.as.naming.InitialContextFactory.getInitialContext(InitialContextFactory.java:43)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
at javax.naming.InitialContext.init(InitialContext.java:244)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.createLdapContext(LDAPOperationManager.java:473)
at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:535)
at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.search(LDAPOperationManager.java:166)
at org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore.fetchQueryResults(LDAPIdentityStore.java:160)
at org.keycloak.federation.ldap.idm.query.internal.LDAPQuery.getResultList(LDAPQuery.java:165)
at org.keycloak.federation.ldap.idm.query.internal.LDAPQuery.getFirstResult(LDAPQuery.java:176)
at org.keycloak.federation.ldap.LDAPFederationProvider.loadLDAPUserByUsername(LDAPFederationProvider.java:510)
at org.keycloak.federation.ldap.LDAPFederationProvider.loadAndValidateUser(LDAPFederationProvider.java:284)
at org.keycloak.federation.ldap.LDAPFederationProvider.validateAndProxy(LDAPFederationProvider.java:111)
at org.keycloak.models.UserFederationManager.validateAndProxyUser(UserFederationManager.java:152)
at org.keycloak.models.UserFederationManager.getUserById(UserFederationManager.java:217)
at org.keycloak.protocol.oidc.TokenManager.validateToken(TokenManager.java:118)
at org.keycloak.protocol.oidc.TokenManager.refreshAccessToken(TokenManager.java:223)
at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.buildRefreshToken(TokenEndpoint.java:298)
at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.build(TokenEndpoint.java:126)
at sun.reflect.GeneratedMethodAccessor410.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.net.SocketException: Connection reset
at java.net.SocketInputStream.read(SocketInputStream.java:209)
at java.net.SocketInputStream.read(SocketInputStream.java:141)
at sun.security.ssl.InputRecord.readFully(InputRecord.java:465)
at sun.security.ssl.InputRecord.read(InputRecord.java:503)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:426)
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:399)
at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:359)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
... 78 more
14:56:20,148 ERROR [io.undertow.request] (default task-21) UT005023: Exception handling request to /auth/realms/redacted/protocol/openid-connect/token: org.jboss.resteasy.spi.UnhandledException: org.keycloak.models.ModelException: LDAP Query failed
at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.keycloak.models.ModelException: LDAP Query failed
at org.keycloak.federation.ldap.idm.query.internal.LDAPQuery.getResultList(LDAPQuery.java:169)
at org.keycloak.federation.ldap.idm.query.internal.LDAPQuery.getFirstResult(LDAPQuery.java:176)
at org.keycloak.federation.ldap.LDAPFederationProvider.loadLDAPUserByUsername(LDAPFederationProvider.java:510)
at org.keycloak.federation.ldap.LDAPFederationProvider.loadAndValidateUser(LDAPFederationProvider.java:284)
at org.keycloak.federation.ldap.LDAPFederationProvider.validateAndProxy(LDAPFederationProvider.java:111)
at org.keycloak.models.UserFederationManager.validateAndProxyUser(UserFederationManager.java:152)
at org.keycloak.models.UserFederationManager.getUserById(UserFederationManager.java:217)
at org.keycloak.protocol.oidc.TokenManager.validateToken(TokenManager.java:118)
at org.keycloak.protocol.oidc.TokenManager.refreshAccessToken(TokenManager.java:223)
at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.buildRefreshToken(TokenEndpoint.java:298)
at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.build(TokenEndpoint.java:126)
at sun.reflect.GeneratedMethodAccessor410.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
... 37 more
Caused by: org.keycloak.models.ModelException: Querying of LDAP failed org.keycloak.federation.ldap.idm.query.internal.LDAPQuery@1c8e5a6
at org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore.fetchQueryResults(LDAPIdentityStore.java:169)
at org.keycloak.federation.ldap.idm.query.internal.LDAPQuery.getResultList(LDAPQuery.java:165)
... 58 more
Caused by: javax.naming.CommunicationException: simple bind failed: <ldaps servername>:636 [Root exception is java.net.SocketException: Connection reset]
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2788)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
at org.jboss.as.naming.InitialContext.getDefaultInitCtx(InitialContext.java:114)
at org.jboss.as.naming.InitialContext.init(InitialContext.java:99)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
at org.jboss.as.naming.InitialContext.<init>(InitialContext.java:89)
at org.jboss.as.naming.InitialContextFactory.getInitialContext(InitialContextFactory.java:43)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
at javax.naming.InitialContext.init(InitialContext.java:244)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.createLdapContext(LDAPOperationManager.java:473)
at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:535)
at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.search(LDAPOperationManager.java:166)
at org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore.fetchQueryResults(LDAPIdentityStore.java:160)
... 59 more
Caused by: java.net.SocketException: Connection reset
at java.net.SocketInputStream.read(SocketInputStream.java:209)
at java.net.SocketInputStream.read(SocketInputStream.java:141)
at sun.security.ssl.InputRecord.readFully(InputRecord.java:465)
at sun.security.ssl.InputRecord.read(InputRecord.java:503)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:426)
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:399)
at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:359)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
... 78 more
*** This communication has been sent from World Fuel Services
Corporation or its subsidiaries or its affiliates for the intended recipient
only and may contain proprietary, confidential or privileged information.
If you are not the intended recipient, any review, disclosure, copying,
use, or distribution of the information included in this communication
and any attachments is strictly prohibited. If you have received this
communication in error, please notify us immediately by replying to this
communication and delete the communication, including any
attachments, from your computer. Electronic communications sent to or
from World Fuel Services Corporation or its subsidiaries or its affiliates
may be monitored for quality assurance and compliance purposes.***
7 years, 3 months
Re: [keycloak-user] Issue with LDAP federation import
by harish jadhav
Hi Team,
Thanks for immediate response. As both users are different persons and reside in different domain with different email id, I was expecting it to treat as different user and in fact objectguid will be different for both users. And as both users belong to same organisation, I can't use different realm also.
Is there any workaround available for this?
Thanks
Harish
--------------------------------------------
On Fri, 2/10/17, Bill Burke <bburke(a)redhat.com> wrote:
Subject: Re: [keycloak-user] Issue with LDAP federation import
To: keycloak-user(a)lists.jboss.org
Date: Friday, February 10, 2017, 8:27 PM
You can't have 2
users with same username. The sync is pulling users
from 2nd federation provider, sees that its
already been imported (by
1st Federation
sync) and fails to import that user.
On 2/10/17 9:32 AM, harish jadhav wrote:
> Hello Keycloak Team,
>
I am new to keycloak and trying to integrate with my
application. Just to do some kind of analysis, I have
started with LDAP import. I have two LDAP servers having
different domains say tkd.com and teckno.com respectively (
running at 172.16.11.100 and 172.16.12.100 respectively) and
I am able to import the users from both the directories. I
have created two LDAP federation in single realm.
>
> However
one issue which I am facing is I am unable to import one
particular user by second federation - I have one user
having name ronny(a)tkd.com
with username Ronny in 172.16.11.100 and ronny(a)teckno.com
with same username Ronny in 172.16.12.100. The error I am
getting is
>
> User
'Ronny' is not updated during sync as he already
exists in Keycloak database but is not linked to federation
provider '1081bf4c-b54d-44db-b172-b229ae6aad4e'
> Can you please help on how to sync both
users as technically both users are different having
different email ids and domains.
> Thanks
in advance.
> ThanksHarish
>
_______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
7 years, 3 months
email to reset password falied - keycloak 2.5.0
by Michael Mok
Was trying to send this via my other email but did not reach the mailing list. trying again with my other email.
Hi All
Need help trying to allow the user to update their password. The use case
1) Login to admin
2) Select a user, goto credential and select Update Password as reset again and sent email
3) User received email and click on the link (within the minute)
4) Keycloak complains with error We are sorry - an error occurred please login again.
Setup
Keycloak 2.5.1 Final
Apache 2.4 - SSL enabled
Mod proxy ajp
OS ubuntu 14.04
Keycloak standalone.xml ajp config
<server name="default-server">
<ajp-listener name="mmemoeListener" socket-binding="ajp" redirect-socket="proxy-https" scheme="https" />
<http-listener name="default" socket-binding="http" redirect-socket="https"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<filter-ref name="proxy-peer"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
</handlers>
<filters>
<filter name="proxy-peer" class-name="io.undertow.server.handlers.ProxyPeerAddressHandler" module="io.undertow.core" />
<response-header name="server-header" header-name="Server" header-value="WildFly/10"/>
<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
</filters>
Apache 2 http conf
ProxyRequests Off
ProxyPreserveHost On
SSLProxyEngine On
<Proxy *>
RequestHeader set X-Forwarded-Proto "https"
Require all granted
</Proxy>
#Keycloak requirements
LogFormat "%h %{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\ " common
ProxyPass /auth ajp://localhost:8009/auth
Link received in the Update Your Account email
https://demo.mmemoe.com/auth/realms/mmemoeDemo/login-actions/execute-acti...
Apache log
[11/Feb/2017:01:37:06 +0000] "GET /auth/realms/mmemoeDemo/login-actions/execute-actions?key=M5QehaYrsNyxEFC66hDSudzxWXoeimIMH5Sp9Lvbqhs.5b219018-98ad-4f39-a021-bda421809bcc HTTP/1.1" 500 2441
Keycloak log
01:37:06,091 WARN [org.keycloak.events] (default task-1) type=EXECUTE_ACTIONS_ERROR, realmId=2e6cf05c-62bc-4b12-8db2-4a85053225f7, clientId=null, userId=null, ipAddress=110.143.116.121, error=invalid_code
Thanks.
7 years, 3 months
