This looks to be an issue still in in 5.0.0. Did you end up creating ticket
for this? I had to do the same workaround for a similar issue I'm having
with larger groups not syncing from AD > Keycloak. Raising the MaxValRange
allowed that group to sync as well.
--
Aaron Echols
On Tue, Oct 9, 2018 at 4:32 AM Sidney Beekhoven <sidney.beekhoven(a)info.nl>
wrote:
Hello,
We have a keycloak setup (3.4.3.Final) with active directory as a user
federation provider. We ran into an issue with adding a certain role to
users. We got an error message like this:
Uncaught server error: org.keycloak.models.ModelException: Could not
modify attribute for DN
[CN=xxxxxxx,OU=Roles,OU=Customers,DC=xxxxxxxx,DC=com]
at
org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.modifyAttributes(LDAPOperationManager.java:569)
at
org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.modifyAttributes(LDAPOperationManager.java:110)
at
org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.update(LDAPIdentityStore.java:112)
at org.keycloak.storage.ldap.LDAPUtils.addMember(LDAPUtils.java:181)
at
org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapper.addRoleMappingInLDAP(RoleLDAPStorageMapper.java:262)
at
org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapper$LDAPRoleMappingsUserDelegate.grantRole(RoleLDAPStorageMapper.java:380)
at
org.keycloak.models.cache.infinispan.UserAdapter.grantRole(UserAdapter.java:316)
at
org.keycloak.services.resources.admin.RoleMapperResource.addRealmRoleMappings(RoleMapperResource.java:236)
…
Caused by: javax.naming.directory.NoSuchAttributeException: [LDAP: error
code 16 - 00000057<tel:16%20-%2000000057>: LdapErr: DSID-0C090C03, comment:
Error in attribute conversion operation, data 0, v1db1]; remaining name
‘CN=xxxxx,OU=Roles,OU=Customers,DC=xxxxxx,DC=com'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3175)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2891)
at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1475)
at
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:277)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:192)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:181)
at
javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:167)
at
javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:167)
After some investigation the issue is that active directory uses range
retrieval when there are more than 1500 entries in the member (list)
property of a group. See eg
https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ldap/s...
.
When i look at the keycloak source code it looks like keycloak does not
handle/support the range retrieval, so an error happens when trying to add
a user to that role.
For now we work around the issue by setting the MaxValRange to a higher
value. See
https://support.microsoft.com/en-us/help/315071/how-to-view-and-set-ldap-...
for more info about this.
The real solution would probably be to add support for range retrieval in
the keycloak ldap user federation provider, so i will create a jira ticket
for that.
Did anyone else maybe run into this issue, and if so had another solution
for it?
Kind regards,
Sidney Beekhoven
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user