Re: [keycloak-user] How to configure new params and edit them with Keycloak and LDAP integration

cn MSAD account controls cpf creation date email first name last name modify date phpgwAccountStatus username

Hi, The error may indicate that you configured "pwdLastSet" attribute mapper in Keycloak to write into the LDAP, but it looks that writing this attribute is unsupported. Maybe switch this mapper to read-only will help? Marek On 08/03/17 15:29, Celso Agra wrote: > Hi all, > > I'm trying to configure KC with LDAP, but some errors are occurring. > First, I configured my LDAP to write in the LDAP server, but for some > reasons I got this error when I try to register an user: > > 2017-03-08 11:05:28,862 WARN [org.keycloak.services] (default task-6) > >> KC-SERVICES0013: Failed authentication: org.keycloak.models.ModelExcep >> tion: >> Could not modify attribute for DN [uid=11111111111,dc=zz,dc=dd,dc=aa] >> > at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationMan > ager. > >> modifyAttributes(LDAPOperationManager.java:410) >> > at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationMan > ager. > >> modifyAttributes(LDAPOperationManager.java:104) >> > at org.keycloak.federation.ldap.idm.store.ldap. > >> LDAPIdentityStore.update(LDAPIdentityStore.java:105) >> > at org.keycloak.federation.ldap.mappers.msad. > >> MSADUserAccountControlMapper$MSADUserModelDelegate.addRequiredAction( >> MSADUserAccountControlMapper.java:235) >> > at org.keycloak.federation.ldap.mappers.msad. > >> MSADUserAccountControlMapper$MSADUserModelDelegate.addRequiredAction( >> MSADUserAccountControlMapper.java:220) >> > at org.keycloak.models.utils.UserModelDelegate.addRequiredActio > n( > >> UserModelDelegate.java:112) >> > at org.keycloak.authentication.forms.RegistrationPassword. > >> success(RegistrationPassword.java:101) >> > at org.keycloak.authentication.FormAuthenticationFlow.processAc > tion( > >> FormAuthenticationFlow.java:234) >> > at org.keycloak.authentication.DefaultAuthenticationFlow. > >> processAction(DefaultAuthenticationFlow.java:76) >> > at org.keycloak.authentication.AuthenticationProcessor. > >> authenticationAction(AuthenticationProcessor.java:759) >> > at org.keycloak.services.resources.LoginActionsService.processF > low( > >> LoginActionsService.java:356) >> > at org.keycloak.services.resources.LoginActionsService. > >> processRegistration(LoginActionsService.java:477) >> > at org.keycloak.services.resources.LoginActionsService. > >> processRegister(LoginActionsService.java:535) >> > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > at sun.reflect.NativeMethodAccessorImpl.invoke( > >> NativeMethodAccessorImpl.java:62) >> > at sun.reflect.DelegatingMethodAccessorImpl.invoke( > >> DelegatingMethodAccessorImpl.java:43) >> > at java.lang.reflect.Method.invoke(Method.java:498) > > at org.jboss.resteasy.core.MethodInjectorImpl.invoke( > >> MethodInjectorImpl.java:139) >> > at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget( > >> ResourceMethodInvoker.java:295) >> > at org.jboss.resteasy.core.ResourceMethodInvoker.invoke( > >> ResourceMethodInvoker.java:249) >> > at org.jboss.resteasy.core.ResourceLocatorInvoker. > >> invokeOnTargetObject(ResourceLocatorInvoker.java:138) >> > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( > >> ResourceLocatorInvoker.java:101) >> > at org.jboss.resteasy.core.SynchronousDispatcher.invoke( > >> SynchronousDispatcher.java:395) >> > at org.jboss.resteasy.core.SynchronousDispatcher.invoke( > >> SynchronousDispatcher.java:202) >> > at org.jboss.resteasy.plugins.server.servlet. > >> ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) >> > at org.jboss.resteasy.plugins.server.servlet. > >> HttpServletDispatcher.service(HttpServletDispatcher.java:56) >> > at org.jboss.resteasy.plugins.server.servlet. > >> HttpServletDispatcher.service(HttpServletDispatcher.java:51) >> > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > > at io.undertow.servlet.handlers.ServletHandler.handleRequest( > >> ServletHandler.java:85) >> > at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. > >> doFilter(FilterHandler.java:129) >> > at org.keycloak.services.filters.KeycloakSessionServletFilter. > >> doFilter(KeycloakSessionServletFilter.java:90) >> > at io.undertow.servlet.core.ManagedFilter.doFilter( > >> ManagedFilter.java:60) >> > at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. > >> doFilter(FilterHandler.java:131) >> > at io.undertow.servlet.handlers.FilterHandler.handleRequest( > >> FilterHandler.java:84) >> > at io.undertow.servlet.handlers.security.ServletSecurityRoleHan > dler. > >> handleRequest(ServletSecurityRoleHandler.java:62) >> > at io.undertow.servlet.handlers.ServletDispatchingHandler. > >> handleRequest(ServletDispatchingHandler.java:36) >> > at org.wildfly.extension.undertow.security. > >> SecurityContextAssociationHandler.handleRequest( >> SecurityContextAssociationHandler.java:78) >> > at io.undertow.server.handlers.PredicateHandler.handleRequest( > >> PredicateHandler.java:43) >> > at io.undertow.servlet.handlers.security. > >> SSLInformationAssociationHandler.handleRequest( >> SSLInformationAssociationHandler.java:131) >> > at io.undertow.servlet.handlers.security. > >> ServletAuthenticationCallHandler.handleRequest( >> ServletAuthenticationCallHandler.java:57) >> > at io.undertow.server.handlers.PredicateHandler.handleRequest( > >> PredicateHandler.java:43) >> > at io.undertow.security.handlers.AbstractConfidentialityHandler > >> .handleRequest(AbstractConfidentialityHandler.java:46) >> > at io.undertow.servlet.handlers.security. > >> ServletConfidentialityConstraintHandler.handleRequest( >> ServletConfidentialityConstraintHandler.java:64) >> > at io.undertow.security.handlers.AuthenticationMechanismsHandle > >> r.handleRequest(AuthenticationMechanismsHandler.java:60) >> > at io.undertow.servlet.handlers.security. > >> CachedAuthenticatedSessionHandler.handleRequest( >> CachedAuthenticatedSessionHandler.java:77) >> > at io.undertow.security.handlers.NotificationReceiverHandler. > >> handleRequest(NotificationReceiverHandler.java:50) >> > at io.undertow.security.handlers.AbstractSecurityContextAssocia > >> tionHandler.handleRequest(AbstractSecurityContextAssocia >> tionHandler.java:43) >> > at io.undertow.server.handlers.PredicateHandler.handleRequest( > >> PredicateHandler.java:43) >> > at org.wildfly.extension.undertow.security.jacc. > >> JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) >> > at io.undertow.server.handlers.PredicateHandler.handleRequest( > >> PredicateHandler.java:43) >> > at io.undertow.server.handlers.PredicateHandler.handleRequest( > >> PredicateHandler.java:43) >> > at io.undertow.servlet.handlers.ServletInitialHandler. > >> handleFirstRequest(ServletInitialHandler.java:284) >> > at io.undertow.servlet.handlers.ServletInitialHandler. > >> dispatchRequest(ServletInitialHandler.java:263) >> > at io.undertow.servlet.handlers.ServletInitialHandler.access$ > >> 000(ServletInitialHandler.java:81) >> > at io.undertow.servlet.handlers.ServletInitialHandler$1. > >> handleRequest(ServletInitialHandler.java:174) >> > at io.undertow.server.Connectors.executeRootHandler(Connectors. > >> java:202) >> > at io.undertow.server.HttpServerExchange$1.run( > >> HttpServerExchange.java:793) >> > at java.util.concurrent.ThreadPoolExecutor.runWorker( > >> ThreadPoolExecutor.java:1142) >> > at java.util.concurrent.ThreadPoolExecutor$Worker.run( > >> ThreadPoolExecutor.java:617) >> > at java.lang.Thread.run(Thread.java:745) > > Caused by: javax.naming.directory.InvalidAttributeIdentifierException: > >> [LDAP: error code 17 - pwdLastSet: attribute type undefined]; remaining >> name 'uid=11111111111,dc=zz,dc=dd,dc=aa' >> > at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3205) > > at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java: > 3082) > > at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java: > 2888) > > at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:14 > 75) > > at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttribu > tes( > >> ComponentDirContext.java:277) >> > at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext. > >> modifyAttributes(PartialCompositeDirContext.java:192) >> > at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext. > >> modifyAttributes(PartialCompositeDirContext.java:181) >> > at javax.naming.directory.InitialDirContext.modifyAttributes( > >> InitialDirContext.java:167) >> > at javax.naming.directory.InitialDirContext.modifyAttributes( > >> InitialDirContext.java:167) >> > at org.keycloak.federation.ldap.idm.store.ldap. > >> LDAPOperationManager$6.execute(LDAPOperationManager.java:405) >> > at org.keycloak.federation.ldap.idm.store.ldap. > >> LDAPOperationManager$6.execute(LDAPOperationManager.java:402) >> > at org.keycloak.federation.ldap.idm.store.ldap. > >> LDAPOperationManager.execute(LDAPOperationManager.java:535) >> > at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationMan > ager. > >> modifyAttributes(LDAPOperationManager.java:402) >> > ... 59 more > > 2017-03-08 11:05:28,865 WARN [org.keycloak.events] (default task-6) > >> type=LOGIN_ERROR, realmId=myrealm, clientId=teste-portal, userId=null, >> ipAddress=xxx.xxx.xxx.xxx, error=invalid_user_credentials, >> auth_method=openid-connect, auth_type=code, redirect_uri= >> http://127.0.0.1: >> 8080/teste-portal/ >> > > and then, I got this result in my ldap: > > dn: uid=11111111111,dc=zz,dc=dd,dc=aa > > givenName:: IA== > > uid: 11111111111 > > objectClass: top > > objectClass: inetOrgPerson > > objectClass: person > > objectClass: organizationalPerson > > objectClass: phpgwAccount > > objectClass: shadowAccount > > sn:: IA== > > cn:: IA== > > structuralObjectClass: inetOrgPerson > > entryUUID: 07f0e7caxxxxxxxxxxx > > creatorsName: cn=admin,dc=zz,dc=dd,dc=aa > > createTimestamp: 20170308140529Z > > entryCSN: 20170308140529.527857Z#000000#000#000000 > > modifiersName: cn=admin,dc=zz,dc=dd,dc=aa > > modifyTimestamp: 20170308140529Z > > > So, I wrote the uid as 11111111111, but I didn't set the sn, cn and > givenName as 'IA=='. It looks like some problem occurs in my > configuration. > > please, need help!! > > > Best Regards, > >