2:46 a.m.
Hi,
The error may indicate that you configured "pwdLastSet" attribute mapper
in Keycloak to write into the LDAP, but it looks that writing this
attribute is unsupported. Maybe switch this mapper to read-only will help?
Marek
On 08/03/17 15:29, Celso Agra wrote:
Hi all,
I'm trying to configure KC with LDAP, but some errors are occurring.
First, I configured my LDAP to write in the LDAP server, but for some
reasons I got this error when I try to register an user:
2017-03-08 11:05:28,862 WARN [org.keycloak.services] (default task-6)
> KC-SERVICES0013: Failed authentication: org.keycloak.models.ModelException:
> Could not modify attribute for DN [uid=11111111111,dc=zz,dc=dd,dc=aa]
at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.
> modifyAttributes(LDAPOperationManager.java:410)
at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.
> modifyAttributes(LDAPOperationManager.java:104)
at org.keycloak.federation.ldap.idm.store.ldap.
> LDAPIdentityStore.update(LDAPIdentityStore.java:105)
at org.keycloak.federation.ldap.mappers.msad.
> MSADUserAccountControlMapper$MSADUserModelDelegate.addRequiredAction(
> MSADUserAccountControlMapper.java:235)
at org.keycloak.federation.ldap.mappers.msad.
> MSADUserAccountControlMapper$MSADUserModelDelegate.addRequiredAction(
> MSADUserAccountControlMapper.java:220)
at org.keycloak.models.utils.UserModelDelegate.addRequiredAction(
> UserModelDelegate.java:112)
at org.keycloak.authentication.forms.RegistrationPassword.
> success(RegistrationPassword.java:101)
at org.keycloak.authentication.FormAuthenticationFlow.processAction(
> FormAuthenticationFlow.java:234)
at org.keycloak.authentication.DefaultAuthenticationFlow.
> processAction(DefaultAuthenticationFlow.java:76)
at org.keycloak.authentication.AuthenticationProcessor.
> authenticationAction(AuthenticationProcessor.java:759)
at org.keycloak.services.resources.LoginActionsService.processFlow(
> LoginActionsService.java:356)
at org.keycloak.services.resources.LoginActionsService.
> processRegistration(LoginActionsService.java:477)
at org.keycloak.services.resources.LoginActionsService.
> processRegister(LoginActionsService.java:535)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(
> NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(
> DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(
> MethodInjectorImpl.java:139)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(
> ResourceMethodInvoker.java:295)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(
> ResourceMethodInvoker.java:249)
at org.jboss.resteasy.core.ResourceLocatorInvoker.
> invokeOnTargetObject(ResourceLocatorInvoker.java:138)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
> ResourceLocatorInvoker.java:101)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(
> SynchronousDispatcher.java:395)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(
> SynchronousDispatcher.java:202)
at org.jboss.resteasy.plugins.server.servlet.
> ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at org.jboss.resteasy.plugins.server.servlet.
> HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at org.jboss.resteasy.plugins.server.servlet.
> HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at io.undertow.servlet.handlers.ServletHandler.handleRequest(
> ServletHandler.java:85)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
> doFilter(FilterHandler.java:129)
at org.keycloak.services.filters.KeycloakSessionServletFilter.
> doFilter(KeycloakSessionServletFilter.java:90)
at io.undertow.servlet.core.ManagedFilter.doFilter(
> ManagedFilter.java:60)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
> doFilter(FilterHandler.java:131)
at io.undertow.servlet.handlers.FilterHandler.handleRequest(
> FilterHandler.java:84)
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.
> handleRequest(ServletSecurityRoleHandler.java:62)
at io.undertow.servlet.handlers.ServletDispatchingHandler.
> handleRequest(ServletDispatchingHandler.java:36)
at org.wildfly.extension.undertow.security.
> SecurityContextAssociationHandler.handleRequest(
> SecurityContextAssociationHandler.java:78)
at io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
at io.undertow.servlet.handlers.security.
> SSLInformationAssociationHandler.handleRequest(
> SSLInformationAssociationHandler.java:131)
at io.undertow.servlet.handlers.security.
> ServletAuthenticationCallHandler.handleRequest(
> ServletAuthenticationCallHandler.java:57)
at io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
at io.undertow.security.handlers.AbstractConfidentialityHandler
> .handleRequest(AbstractConfidentialityHandler.java:46)
at io.undertow.servlet.handlers.security.
> ServletConfidentialityConstraintHandler.handleRequest(
> ServletConfidentialityConstraintHandler.java:64)
at io.undertow.security.handlers.AuthenticationMechanismsHandle
> r.handleRequest(AuthenticationMechanismsHandler.java:60)
at io.undertow.servlet.handlers.security.
> CachedAuthenticatedSessionHandler.handleRequest(
> CachedAuthenticatedSessionHandler.java:77)
at io.undertow.security.handlers.NotificationReceiverHandler.
> handleRequest(NotificationReceiverHandler.java:50)
at io.undertow.security.handlers.AbstractSecurityContextAssocia
> tionHandler.handleRequest(AbstractSecurityContextAssocia
> tionHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
at org.wildfly.extension.undertow.security.jacc.
> JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
at io.undertow.servlet.handlers.ServletInitialHandler.
> handleFirstRequest(ServletInitialHandler.java:284)
at io.undertow.servlet.handlers.ServletInitialHandler.
> dispatchRequest(ServletInitialHandler.java:263)
at io.undertow.servlet.handlers.ServletInitialHandler.access$
> 000(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$1.
> handleRequest(ServletInitialHandler.java:174)
at io.undertow.server.Connectors.executeRootHandler(Connectors.
> java:202)
at io.undertow.server.HttpServerExchange$1.run(
> HttpServerExchange.java:793)
at java.util.concurrent.ThreadPoolExecutor.runWorker(
> ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(
> ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: javax.naming.directory.InvalidAttributeIdentifierException:
> [LDAP: error code 17 - pwdLastSet: attribute type undefined]; remaining
> name 'uid=11111111111,dc=zz,dc=dd,dc=aa'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3205)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3082)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888)
at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1475)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(
> ComponentDirContext.java:277)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.
> modifyAttributes(PartialCompositeDirContext.java:192)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.
> modifyAttributes(PartialCompositeDirContext.java:181)
at javax.naming.directory.InitialDirContext.modifyAttributes(
> InitialDirContext.java:167)
at javax.naming.directory.InitialDirContext.modifyAttributes(
> InitialDirContext.java:167)
at org.keycloak.federation.ldap.idm.store.ldap.
> LDAPOperationManager$6.execute(LDAPOperationManager.java:405)
at org.keycloak.federation.ldap.idm.store.ldap.
> LDAPOperationManager$6.execute(LDAPOperationManager.java:402)
at org.keycloak.federation.ldap.idm.store.ldap.
> LDAPOperationManager.execute(LDAPOperationManager.java:535)
at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.
> modifyAttributes(LDAPOperationManager.java:402)
... 59 more
2017-03-08 11:05:28,865 WARN [org.keycloak.events] (default task-6)
> type=LOGIN_ERROR, realmId=myrealm, clientId=teste-portal, userId=null,
> ipAddress=xxx.xxx.xxx.xxx, error=invalid_user_credentials,
> auth_method=openid-connect, auth_type=code, redirect_uri=http://127.0.0.1:
> 8080/teste-portal/
and then, I got this result in my ldap:
dn: uid=11111111111,dc=zz,dc=dd,dc=aa
givenName:: IA==
uid: 11111111111
objectClass: top
objectClass: inetOrgPerson
objectClass: person
objectClass: organizationalPerson
objectClass: phpgwAccount
objectClass: shadowAccount
sn:: IA==
cn:: IA==
structuralObjectClass: inetOrgPerson
entryUUID: 07f0e7caxxxxxxxxxxx
creatorsName: cn=admin,dc=zz,dc=dd,dc=aa
createTimestamp: 20170308140529Z
entryCSN: 20170308140529.527857Z#000000#000#000000
modifiersName: cn=admin,dc=zz,dc=dd,dc=aa
modifyTimestamp: 20170308140529Z
So, I wrote the uid as 11111111111, but I didn't set the sn, cn and
givenName as 'IA=='. It looks like some problem occurs in my configuration.
please, need help!!
Best Regards,