[keycloak-user] User cannot be imported from LDAP - ModelDuplicateException - although userStorage does not contain any users yet
Daniela.Weil at itzbund.de
Daniela.Weil at itzbund.de
Wed Oct 12 07:20:50 EDT 2016
Dear All,
I installed keycloak 2.2.1 Final, added a new realm with an openLDAP federation provider with Kerberos integration.
The "username LDAP attribute" I set to the ldap attribute (bfvNovellLogin) that contains the Kerberos username. The "UUID LDAP attribute" is set to the "uid" attribute.
Kerberos auth succeeded:
2016-10-12 10:23:42,363 DEBUG [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] (default task-3) SPNEGO Security context accepted with token: oRQwEqADCgEAoQsGCSqGSIb3EgECAg==, established: true, credDelegState: false, mutualAuthState: false, lifetime: 2147483647, confState: true, integState: true, ....
2016-10-12 10:23:42,364 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-3) getUserByUsername: WeiDayq
The LDAP object could be created:
2016-10-12 10:23:42,515 TRACE [org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore] (default task-3) Found ldap object and populated with the attributes. LDAP Object: LDAP Object [ dn: uid=dweil,ou=mitarbeiter,ou=personen,dc=bfinv,dc=de , uuid: dweil, attributes: {uid=[dweil], bfvNovellLogin=[WeiDayq], mail=[daniela.weil at zivit.de], bfvDstnr=[1481], sn=[Weil], cn=[Daniela Weil], modifyTimestamp=[20130308075833Z], createTimestamp=[20070704114832Z]}, readOnly attribute names: [sn, bfvdstnr, bfvnovelllogin, mail, uid, modifytimestamp, cn, createtimestamp] ]
So far no users are in the keycloak datastore.
On mapping the email attribute the user "dweil" is not recognized as the formerly by Kerberos authenticated user "weidayq":
2016-10-12 10:23:42,765 TRACE [org.keycloak.federation.ldap.LDAPFederationProvider] (default task-3) Using mapper { name=DStNummer, federationMapperType=user-attribute-ldap-mapper, config={always.read.value.from.ldap=false, read.only=true, ldap.attribute=bfvDstnr, is.mandatory.in.ldap=false, user.model.attribute=DstNr} } during import user from LDAP
2016-10-12 10:23:42,769 TRACE [org.keycloak.federation.ldap.LDAPFederationProvider] (default task-3) Using mapper { name=email, federationMapperType=user-attribute-ldap-mapper, config={always.read.value.from.ldap=false, read.only=true, ldap.attribute=mail, is.mandatory.in.ldap=false, user.model.attribute=email} } during import user from LDAP
2016-10-12 10:23:42,806 DEBUG [org.keycloak.services] (default task-3) KC-SERVICES0013: Failed authentication: org.keycloak.models.ModelDuplicateException: Can't import user 'weidayq' from LDAP because email 'daniela.weil at zivit.de' already exists in Keycloak. Existing user with this email is 'dweil'
at org.keycloak.federation.ldap.mappers.UserAttributeLDAPFederationMapper.checkDuplicateEmail(UserAttributeLDAPFederationMapper.java:168)
at org.keycloak.federation.ldap.mappers.UserAttributeLDAPFederationMapper.onImportUserFromLDAP(UserAttributeLDAPFederationMapper.java:100)
at org.keycloak.federation.ldap.mappers.LDAPFederationMapperBridge.onImportUserFromLDAP(LDAPFederationMapperBridge.java:61)
at org.keycloak.federation.ldap.LDAPFederationProvider.importUserFromLDAP(LDAPFederationProvider.java:327)
at org.keycloak.federation.ldap.LDAPFederationProvider.getUserByUsername(LDAPFederationProvider.java:310)
at org.keycloak.federation.ldap.LDAPFederationProvider.findOrCreateAuthenticatedUser(LDAPFederationProvider.java:499)
at org.keycloak.federation.ldap.LDAPFederationProvider.validCredentials(LDAPFederationProvider.java:443)
at org.keycloak.models.UserFederationManager.validCredentials(UserFederationManager.java:595)
at org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:89).....
Why does keycloak assume that my one and only user is two different users (having a different Id)?
Kind Regards,
Daniela Weil
More information about the keycloak-user
mailing list