6:20 a.m.
Dear All,
I installed keycloak 2.2.1 Final, added a new realm with an openLDAP federation provider
with Kerberos integration.
The "username LDAP attribute" I set to the ldap attribute (bfvNovellLogin) that
contains the Kerberos username. The "UUID LDAP attribute" is set to the
"uid" attribute.
Kerberos auth succeeded:
2016-10-12 10:23:42,363 DEBUG [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator]
(default task-3) SPNEGO Security context accepted with token:
oRQwEqADCgEAoQsGCSqGSIb3EgECAg==, established: true, credDelegState: false,
mutualAuthState: false, lifetime: 2147483647, confState: true, integState: true, ....
2016-10-12 10:23:42,364 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession]
(default task-3) getUserByUsername: WeiDayq
The LDAP object could be created:
2016-10-12 10:23:42,515 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore] (default task-3) Found
ldap object and populated with the attributes. LDAP Object: LDAP Object [ dn:
uid=dweil,ou=mitarbeiter,ou=personen,dc=bfinv,dc=de , uuid: dweil, attributes:
{uid=[dweil], bfvNovellLogin=[WeiDayq], mail=[daniela.weil(a)zivit.de], bfvDstnr=[1481],
sn=[Weil], cn=[Daniela Weil], modifyTimestamp=[20130308075833Z],
createTimestamp=[20070704114832Z]}, readOnly attribute names: [sn, bfvdstnr,
bfvnovelllogin, mail, uid, modifytimestamp, cn, createtimestamp] ]
So far no users are in the keycloak datastore.
On mapping the email attribute the user "dweil" is not recognized as the
formerly by Kerberos authenticated user "weidayq":
2016-10-12 10:23:42,765 TRACE [org.keycloak.federation.ldap.LDAPFederationProvider]
(default task-3) Using mapper { name=DStNummer,
federationMapperType=user-attribute-ldap-mapper,
config={always.read.value.from.ldap=false, read.only=true, ldap.attribute=bfvDstnr,
is.mandatory.in.ldap=false, user.model.attribute=DstNr} } during import user from LDAP
2016-10-12 10:23:42,769 TRACE [org.keycloak.federation.ldap.LDAPFederationProvider]
(default task-3) Using mapper { name=email,
federationMapperType=user-attribute-ldap-mapper,
config={always.read.value.from.ldap=false, read.only=true, ldap.attribute=mail,
is.mandatory.in.ldap=false, user.model.attribute=email} } during import user from LDAP
2016-10-12 10:23:42,806 DEBUG [org.keycloak.services] (default task-3) KC-SERVICES0013:
Failed authentication: org.keycloak.models.ModelDuplicateException: Can't import user
'weidayq' from LDAP because email 'daniela.weil(a)zivit.de' already exists
in Keycloak. Existing user with this email is 'dweil'
at
org.keycloak.federation.ldap.mappers.UserAttributeLDAPFederationMapper.checkDuplicateEmail(UserAttributeLDAPFederationMapper.java:168)
at
org.keycloak.federation.ldap.mappers.UserAttributeLDAPFederationMapper.onImportUserFromLDAP(UserAttributeLDAPFederationMapper.java:100)
at
org.keycloak.federation.ldap.mappers.LDAPFederationMapperBridge.onImportUserFromLDAP(LDAPFederationMapperBridge.java:61)
at
org.keycloak.federation.ldap.LDAPFederationProvider.importUserFromLDAP(LDAPFederationProvider.java:327)
at
org.keycloak.federation.ldap.LDAPFederationProvider.getUserByUsername(LDAPFederationProvider.java:310)
at
org.keycloak.federation.ldap.LDAPFederationProvider.findOrCreateAuthenticatedUser(LDAPFederationProvider.java:499)
at
org.keycloak.federation.ldap.LDAPFederationProvider.validCredentials(LDAPFederationProvider.java:443)
at
org.keycloak.models.UserFederationManager.validCredentials(UserFederationManager.java:595)
at
org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:89).....
Why does keycloak assume that my one and only user is two different users (having a
different Id)?
Kind Regards,
Daniela Weil