Hello,
We have a keycloak setup (3.4.3.Final) with active directory as a user federation
provider. We ran into an issue with adding a certain role to users. We got an error
message like this:
Uncaught server error: org.keycloak.models.ModelException: Could not modify attribute for
DN [CN=xxxxxxx,OU=Roles,OU=Customers,DC=xxxxxxxx,DC=com]
at
org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.modifyAttributes(LDAPOperationManager.java:569)
at
org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.modifyAttributes(LDAPOperationManager.java:110)
at
org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.update(LDAPIdentityStore.java:112)
at org.keycloak.storage.ldap.LDAPUtils.addMember(LDAPUtils.java:181)
at
org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapper.addRoleMappingInLDAP(RoleLDAPStorageMapper.java:262)
at
org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapper$LDAPRoleMappingsUserDelegate.grantRole(RoleLDAPStorageMapper.java:380)
at org.keycloak.models.cache.infinispan.UserAdapter.grantRole(UserAdapter.java:316)
at
org.keycloak.services.resources.admin.RoleMapperResource.addRealmRoleMappings(RoleMapperResource.java:236)
…
Caused by: javax.naming.directory.NoSuchAttributeException: [LDAP: error code 16 -
00000057<tel:16%20-%2000000057>: LdapErr: DSID-0C090C03, comment: Error in attribute
conversion operation, data 0, v1db1]; remaining name
‘CN=xxxxx,OU=Roles,OU=Customers,DC=xxxxxx,DC=com'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3175)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2891)
at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1475)
at
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:277)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:192)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:181)
at
javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:167)
at
javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:167)
After some investigation the issue is that active directory uses range retrieval when
there are more than 1500 entries in the member (list) property of a group. See eg
https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ldap/s....
When i look at the keycloak source code it looks like keycloak does not handle/support the
range retrieval, so an error happens when trying to add a user to that role.
For now we work around the issue by setting the MaxValRange to a higher value. See
https://support.microsoft.com/en-us/help/315071/how-to-view-and-set-ldap-...
for more info about this.
The real solution would probably be to add support for range retrieval in the keycloak
ldap user federation provider, so i will create a jira ticket for that.
Did anyone else maybe run into this issue, and if so had another solution for it?
Kind regards,
Sidney Beekhoven