back then. That one was
closed because there were some other tickets which would hopefully resolve this issue. In
the meantime in version 6 some of those other tickets were solved and for us it solves the
issue with AD range retrieval.
Regards,
Sidney Beekhoven
This looks to be an issue still in in 5.0.0. Did you end up creating ticket
for this? I had to do the same workaround for a similar issue I'm having
with larger groups not syncing from AD > Keycloak. Raising the MaxValRange
allowed that group to sync as well.
--
Aaron Echols
On Tue, Oct 9, 2018 at 4:32 AM Sidney Beekhoven <sidney.beekhoven at
Hello,
We have a keycloak setup (3.4.3.Final) with active directory as a user
federation provider. We ran into an issue with adding a certain role to
users. We got an error message like this:
Uncaught server error: org.keycloak.models.ModelException: Could not
modify attribute for DN
[CN=xxxxxxx,OU=Roles,OU=Customers,DC=xxxxxxxx,DC=com]
at
org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.modifyAttributes(LDAPOperationManager.java:569)
at
org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.modifyAttributes(LDAPOperationManager.java:110)
at
org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.update(LDAPIdentityStore.java:112)
at org.keycloak.storage.ldap.LDAPUtils.addMember(LDAPUtils.java:181)
at
org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapper.addRoleMappingInLDAP(RoleLDAPStorageMapper.java:262)
at
org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapper$LDAPRoleMappingsUserDelegate.grantRole(RoleLDAPStorageMapper.java:380)
at
org.keycloak.models.cache.infinispan.UserAdapter.grantRole(UserAdapter.java:316)
at
org.keycloak.services.resources.admin.RoleMapperResource.addRealmRoleMappings(RoleMapperResource.java:236)
…
Caused by: javax.naming.directory.NoSuchAttributeException: [LDAP: error
code 16 - 00000057<tel:16%20-%2000000057>: LdapErr: DSID-0C090C03, comment:
Error in attribute conversion operation, data 0, v1db1]; remaining name
‘CN=xxxxx,OU=Roles,OU=Customers,DC=xxxxxx,DC=com'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3175)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2891)
at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1475)
at
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:277)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:192)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:181)
at
javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:167)
at
javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:167)
After some investigation the issue is that active directory uses range
retrieval when there are more than 1500 entries in the member (list)
property of a group. See eg
https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ldap/s...
.
When i look at the keycloak source code it looks like keycloak does not
handle/support the range retrieval, so an error happens when trying to add
a user to that role.
For now we work around the issue by setting the MaxValRange to a higher
value. See
https://support.microsoft.com/en-us/help/315071/how-to-view-and-set-ldap-...
for more info about this.
The real solution would probably be to add support for range retrieval in
the keycloak ldap user federation provider, so i will create a jira ticket
for that.
Did anyone else maybe run into this issue, and if so had another solution
for it?
Kind regards,
Sidney Beekhoven