[keycloak-user] How to configure new params and edit them with Keycloak and LDAP integration
Celso Agra
celso.agra at gmail.com
Fri Mar 10 08:40:07 EST 2017
I'm using slapd.
Here is the object classes that I'm using: top, inetOrgPerson, person,
organizationalPerson, phpgwAccount, shadowAccount
2017-03-10 7:41 GMT-03:00 Marek Posolda <mposolda at redhat.com>:
> This looks like bad LDAP mapping for username and UUID. Which LDAP are you
> using btv?
>
> Marek
>
>
> On 09/03/17 16:03, Celso Agra wrote:
>
> Hi,
>
> I solved this error, just removing the MSAD account controls, but now I'm
> getting a new error, when I finished my registration:
> here is the log:
>
> 2017-03-09 11:58:00,375 ERROR [io.undertow.request] (default task-1)
>> UT005023: Exception handling request to /auth/realms/myrealm/login-actions/required-action:
>> org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException
>> at org.jboss.resteasy.core.ExceptionHandler.
>> handleApplicationException(ExceptionHandler.java:76)
>> at org.jboss.resteasy.core.ExceptionHandler.handleException(
>> ExceptionHandler.java:212)
>> at org.jboss.resteasy.core.SynchronousDispatcher.writeException(
>> SynchronousDispatcher.java:168)
>> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(
>> SynchronousDispatcher.java:411)
>> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(
>> SynchronousDispatcher.java:202)
>> at org.jboss.resteasy.plugins.server.servlet.
>> ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
>> at org.jboss.resteasy.plugins.server.servlet.
>> HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>> at org.jboss.resteasy.plugins.server.servlet.
>> HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>> at io.undertow.servlet.handlers.ServletHandler.handleRequest(
>> ServletHandler.java:85)
>> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
>> doFilter(FilterHandler.java:129)
>> at org.keycloak.services.filters.KeycloakSessionServletFilter.
>> doFilter(KeycloakSessionServletFilter.java:90)
>> at io.undertow.servlet.core.ManagedFilter.doFilter(
>> ManagedFilter.java:60)
>> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
>> doFilter(FilterHandler.java:131)
>> at io.undertow.servlet.handlers.FilterHandler.handleRequest(
>> FilterHandler.java:84)
>> at io.undertow.servlet.handlers.security.
>> ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.
>> java:62)
>> at io.undertow.servlet.handlers.ServletDispatchingHandler.
>> handleRequest(ServletDispatchingHandler.java:36)
>> at org.wildfly.extension.undertow.security.
>> SecurityContextAssociationHandler.handleRequest(
>> SecurityContextAssociationHandler.java:78)
>> at io.undertow.server.handlers.PredicateHandler.handleRequest(
>> PredicateHandler.java:43)
>> at io.undertow.servlet.handlers.security.
>> SSLInformationAssociationHandler.handleRequest(
>> SSLInformationAssociationHandler.java:131)
>> at io.undertow.servlet.handlers.security.
>> ServletAuthenticationCallHandler.handleRequest(
>> ServletAuthenticationCallHandler.java:57)
>> at io.undertow.server.handlers.PredicateHandler.handleRequest(
>> PredicateHandler.java:43)
>> at io.undertow.security.handlers.AbstractConfidentialityHandler
>> .handleRequest(AbstractConfidentialityHandler.java:46)
>> at io.undertow.servlet.handlers.security.
>> ServletConfidentialityConstraintHandler.handleRequest(
>> ServletConfidentialityConstraintHandler.java:64)
>> at io.undertow.security.handlers.AuthenticationMechanismsHandle
>> r.handleRequest(AuthenticationMechanismsHandler.java:60)
>> at io.undertow.servlet.handlers.security.
>> CachedAuthenticatedSessionHandler.handleRequest(
>> CachedAuthenticatedSessionHandler.java:77)
>> at io.undertow.security.handlers.NotificationReceiverHandler.
>> handleRequest(NotificationReceiverHandler.java:50)
>> at io.undertow.security.handlers.AbstractSecurityContextAssocia
>> tionHandler.handleRequest(AbstractSecurityContextAssocia
>> tionHandler.java:43)
>> at io.undertow.server.handlers.PredicateHandler.handleRequest(
>> PredicateHandler.java:43)
>> at org.wildfly.extension.undertow.security.jacc.
>> JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>> at io.undertow.server.handlers.PredicateHandler.handleRequest(
>> PredicateHandler.java:43)
>> at io.undertow.server.handlers.PredicateHandler.handleRequest(
>> PredicateHandler.java:43)
>> at io.undertow.servlet.handlers.ServletInitialHandler.
>> handleFirstRequest(ServletInitialHandler.java:284)
>> at io.undertow.servlet.handlers.ServletInitialHandler.
>> dispatchRequest(ServletInitialHandler.java:263)
>> at io.undertow.servlet.handlers.ServletInitialHandler.access$
>> 000(ServletInitialHandler.java:81)
>> at io.undertow.servlet.handlers.ServletInitialHandler$1.
>> handleRequest(ServletInitialHandler.java:174)
>> at io.undertow.server.Connectors.executeRootHandler(Connectors.
>> java:202)
>> at io.undertow.server.HttpServerExchange$1.run(
>> HttpServerExchange.java:793)
>> at java.util.concurrent.ThreadPoolExecutor.runWorker(
>> ThreadPoolExecutor.java:1142)
>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(
>> ThreadPoolExecutor.java:617)
>> at java.lang.Thread.run(Thread.java:745)
>> Caused by: java.lang.NullPointerException
>> at org.keycloak.events.EventBuilder.user(EventBuilder.java:103)
>> at org.keycloak.services.resources.LoginActionsService.
>> initEvent(LoginActionsService.java:815)
>> at org.keycloak.services.resources.LoginActionsService.
>> access$500(LoginActionsService.java:88)
>> at org.keycloak.services.resources.LoginActionsService$
>> Checks.verifyRequiredAction(LoginActionsService.java:297)
>> at org.keycloak.services.resources.LoginActionsService.
>> processRequireAction(LoginActionsService.java:853)
>> at org.keycloak.services.resources.LoginActionsService.
>> requiredActionGET(LoginActionsService.java:846)
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> at sun.reflect.NativeMethodAccessorImpl.invoke(
>> NativeMethodAccessorImpl.java:62)
>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(
>> DelegatingMethodAccessorImpl.java:43)
>> at java.lang.reflect.Method.invoke(Method.java:498)
>> at org.jboss.resteasy.core.MethodInjectorImpl.invoke(
>> MethodInjectorImpl.java:139)
>> at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(
>> ResourceMethodInvoker.java:295)
>> at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(
>> ResourceMethodInvoker.java:249)
>> at org.jboss.resteasy.core.ResourceLocatorInvoker.
>> invokeOnTargetObject(ResourceLocatorInvoker.java:138)
>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
>> ResourceLocatorInvoker.java:101)
>> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(
>> SynchronousDispatcher.java:395)
>> ... 37 more
>
>
>
>
>
> 2017-03-09 9:47 GMT-03:00 Celso Agra <celso.agra at gmail.com>:
>
>> Got it!
>>
>> But I haven't seen the pwdLastSet here in my LDAP`mappers. I'm using the
>> "Edit Mode" as WRITABLE, but I'm not setting this attribute.
>> Here is my attributes:
>>
>>> cn
>>> MSAD account controls
>>> cpf
>>> creation date
>>> email
>>> first name
>>> last name
>>> modify date
>>> phpgwAccountStatus
>>> username
>>
>>
>> Thanks!!
>>
>> Best Regards,
>>
>> Celso Agra
>>
>> 2017-03-09 5:46 GMT-03:00 Marek Posolda <mposolda at redhat.com>:
>>
>>> Hi,
>>>
>>> The error may indicate that you configured "pwdLastSet" attribute mapper
>>> in Keycloak to write into the LDAP, but it looks that writing this
>>> attribute is unsupported. Maybe switch this mapper to read-only will help?
>>>
>>> Marek
>>>
>>>
>>> On 08/03/17 15:29, Celso Agra wrote:
>>>
>>>> Hi all,
>>>>
>>>> I'm trying to configure KC with LDAP, but some errors are occurring.
>>>> First, I configured my LDAP to write in the LDAP server, but for some
>>>> reasons I got this error when I try to register an user:
>>>>
>>>> 2017-03-08 11:05:28,862 WARN [org.keycloak.services] (default task-6)
>>>>
>>>>> KC-SERVICES0013: Failed authentication: org.keycloak.models.ModelExcep
>>>>> tion:
>>>>> Could not modify attribute for DN [uid=11111111111,dc=zz,dc=dd,dc=aa]
>>>>>
>>>> at org.keycloak.federation.ldap.i
>>>> dm.store.ldap.LDAPOperationManager.
>>>>
>>>>> modifyAttributes(LDAPOperationManager.java:410)
>>>>>
>>>> at org.keycloak.federation.ldap.i
>>>> dm.store.ldap.LDAPOperationManager.
>>>>
>>>>> modifyAttributes(LDAPOperationManager.java:104)
>>>>>
>>>> at org.keycloak.federation.ldap.idm.store.ldap.
>>>>
>>>>> LDAPIdentityStore.update(LDAPIdentityStore.java:105)
>>>>>
>>>> at org.keycloak.federation.ldap.mappers.msad.
>>>>
>>>>> MSADUserAccountControlMapper$MSADUserModelDelegate.addRequiredAction(
>>>>> MSADUserAccountControlMapper.java:235)
>>>>>
>>>> at org.keycloak.federation.ldap.mappers.msad.
>>>>
>>>>> MSADUserAccountControlMapper$MSADUserModelDelegate.addRequiredAction(
>>>>> MSADUserAccountControlMapper.java:220)
>>>>>
>>>> at org.keycloak.models.utils.User
>>>> ModelDelegate.addRequiredAction(
>>>>
>>>>> UserModelDelegate.java:112)
>>>>>
>>>> at org.keycloak.authentication.forms.RegistrationPassword.
>>>>
>>>>> success(RegistrationPassword.java:101)
>>>>>
>>>> at org.keycloak.authentication.Fo
>>>> rmAuthenticationFlow.processAction(
>>>>
>>>>> FormAuthenticationFlow.java:234)
>>>>>
>>>> at org.keycloak.authentication.DefaultAuthenticationFlow.
>>>>
>>>>> processAction(DefaultAuthenticationFlow.java:76)
>>>>>
>>>> at org.keycloak.authentication.AuthenticationProcessor.
>>>>
>>>>> authenticationAction(AuthenticationProcessor.java:759)
>>>>>
>>>> at org.keycloak.services.resource
>>>> s.LoginActionsService.processFlow(
>>>>
>>>>> LoginActionsService.java:356)
>>>>>
>>>> at org.keycloak.services.resources.LoginActionsService.
>>>>
>>>>> processRegistration(LoginActionsService.java:477)
>>>>>
>>>> at org.keycloak.services.resources.LoginActionsService.
>>>>
>>>>> processRegister(LoginActionsService.java:535)
>>>>>
>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>>
>>>> at sun.reflect.NativeMethodAccessorImpl.invoke(
>>>>
>>>>> NativeMethodAccessorImpl.java:62)
>>>>>
>>>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(
>>>>
>>>>> DelegatingMethodAccessorImpl.java:43)
>>>>>
>>>> at java.lang.reflect.Method.invoke(Method.java:498)
>>>>
>>>> at org.jboss.resteasy.core.MethodInjectorImpl.invoke(
>>>>
>>>>> MethodInjectorImpl.java:139)
>>>>>
>>>> at org.jboss.resteasy.core.Resour
>>>> ceMethodInvoker.invokeOnTarget(
>>>>
>>>>> ResourceMethodInvoker.java:295)
>>>>>
>>>> at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(
>>>>
>>>>> ResourceMethodInvoker.java:249)
>>>>>
>>>> at org.jboss.resteasy.core.ResourceLocatorInvoker.
>>>>
>>>>> invokeOnTargetObject(ResourceLocatorInvoker.java:138)
>>>>>
>>>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
>>>>
>>>>> ResourceLocatorInvoker.java:101)
>>>>>
>>>> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(
>>>>
>>>>> SynchronousDispatcher.java:395)
>>>>>
>>>> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(
>>>>
>>>>> SynchronousDispatcher.java:202)
>>>>>
>>>> at org.jboss.resteasy.plugins.server.servlet.
>>>>
>>>>> ServletContainerDispatcher.service(ServletContainerDispatche
>>>>> r.java:221)
>>>>>
>>>> at org.jboss.resteasy.plugins.server.servlet.
>>>>
>>>>> HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>>>>>
>>>> at org.jboss.resteasy.plugins.server.servlet.
>>>>
>>>>> HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>>>>>
>>>> at javax.servlet.http.HttpServlet
>>>> .service(HttpServlet.java:790)
>>>>
>>>> at io.undertow.servlet.handlers.ServletHandler.handleRequest(
>>>>
>>>>> ServletHandler.java:85)
>>>>>
>>>> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
>>>>
>>>>> doFilter(FilterHandler.java:129)
>>>>>
>>>> at org.keycloak.services.filters.KeycloakSessionServletFilter.
>>>>
>>>>> doFilter(KeycloakSessionServletFilter.java:90)
>>>>>
>>>> at io.undertow.servlet.core.ManagedFilter.doFilter(
>>>>
>>>>> ManagedFilter.java:60)
>>>>>
>>>> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
>>>>
>>>>> doFilter(FilterHandler.java:131)
>>>>>
>>>> at io.undertow.servlet.handlers.FilterHandler.handleRequest(
>>>>
>>>>> FilterHandler.java:84)
>>>>>
>>>> at io.undertow.servlet.handlers.s
>>>> ecurity.ServletSecurityRoleHandler.
>>>>
>>>>> handleRequest(ServletSecurityRoleHandler.java:62)
>>>>>
>>>> at io.undertow.servlet.handlers.ServletDispatchingHandler.
>>>>
>>>>> handleRequest(ServletDispatchingHandler.java:36)
>>>>>
>>>> at org.wildfly.extension.undertow.security.
>>>>
>>>>> SecurityContextAssociationHandler.handleRequest(
>>>>> SecurityContextAssociationHandler.java:78)
>>>>>
>>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(
>>>>
>>>>> PredicateHandler.java:43)
>>>>>
>>>> at io.undertow.servlet.handlers.security.
>>>>
>>>>> SSLInformationAssociationHandler.handleRequest(
>>>>> SSLInformationAssociationHandler.java:131)
>>>>>
>>>> at io.undertow.servlet.handlers.security.
>>>>
>>>>> ServletAuthenticationCallHandler.handleRequest(
>>>>> ServletAuthenticationCallHandler.java:57)
>>>>>
>>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(
>>>>
>>>>> PredicateHandler.java:43)
>>>>>
>>>> at io.undertow.security.handlers.
>>>> AbstractConfidentialityHandler
>>>>
>>>>> .handleRequest(AbstractConfidentialityHandler.java:46)
>>>>>
>>>> at io.undertow.servlet.handlers.security.
>>>>
>>>>> ServletConfidentialityConstraintHandler.handleRequest(
>>>>> ServletConfidentialityConstraintHandler.java:64)
>>>>>
>>>> at io.undertow.security.handlers.
>>>> AuthenticationMechanismsHandle
>>>>
>>>>> r.handleRequest(AuthenticationMechanismsHandler.java:60)
>>>>>
>>>> at io.undertow.servlet.handlers.security.
>>>>
>>>>> CachedAuthenticatedSessionHandler.handleRequest(
>>>>> CachedAuthenticatedSessionHandler.java:77)
>>>>>
>>>> at io.undertow.security.handlers.NotificationReceiverHandler.
>>>>
>>>>> handleRequest(NotificationReceiverHandler.java:50)
>>>>>
>>>> at io.undertow.security.handlers.
>>>> AbstractSecurityContextAssocia
>>>>
>>>>> tionHandler.handleRequest(AbstractSecurityContextAssocia
>>>>> tionHandler.java:43)
>>>>>
>>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(
>>>>
>>>>> PredicateHandler.java:43)
>>>>>
>>>> at org.wildfly.extension.undertow.security.jacc.
>>>>
>>>>> JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>>>>>
>>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(
>>>>
>>>>> PredicateHandler.java:43)
>>>>>
>>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(
>>>>
>>>>> PredicateHandler.java:43)
>>>>>
>>>> at io.undertow.servlet.handlers.ServletInitialHandler.
>>>>
>>>>> handleFirstRequest(ServletInitialHandler.java:284)
>>>>>
>>>> at io.undertow.servlet.handlers.ServletInitialHandler.
>>>>
>>>>> dispatchRequest(ServletInitialHandler.java:263)
>>>>>
>>>> at io.undertow.servlet.handlers.ServletInitialHandler.access$
>>>>
>>>>> 000(ServletInitialHandler.java:81)
>>>>>
>>>> at io.undertow.servlet.handlers.ServletInitialHandler$1.
>>>>
>>>>> handleRequest(ServletInitialHandler.java:174)
>>>>>
>>>> at io.undertow.server.Connectors.
>>>> executeRootHandler(Connectors.
>>>>
>>>>> java:202)
>>>>>
>>>> at io.undertow.server.HttpServerExchange$1.run(
>>>>
>>>>> HttpServerExchange.java:793)
>>>>>
>>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(
>>>>
>>>>> ThreadPoolExecutor.java:1142)
>>>>>
>>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(
>>>>
>>>>> ThreadPoolExecutor.java:617)
>>>>>
>>>> at java.lang.Thread.run(Thread.java:745)
>>>>
>>>> Caused by: javax.naming.directory.InvalidAttributeIdentifierException:
>>>>
>>>>> [LDAP: error code 17 - pwdLastSet: attribute type undefined]; remaining
>>>>> name 'uid=11111111111,dc=zz,dc=dd,dc=aa'
>>>>>
>>>> at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3205)
>>>>
>>>> at com.sun.jndi.ldap.LdapCtx.proc
>>>> essReturnCode(LdapCtx.java:3082)
>>>>
>>>> at com.sun.jndi.ldap.LdapCtx.proc
>>>> essReturnCode(LdapCtx.java:2888)
>>>>
>>>> at com.sun.jndi.ldap.LdapCtx.c_mo
>>>> difyAttributes(LdapCtx.java:1475)
>>>>
>>>> at com.sun.jndi.toolkit.ctx.Compo
>>>> nentDirContext.p_modifyAttributes(
>>>>
>>>>> ComponentDirContext.java:277)
>>>>>
>>>> at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.
>>>>
>>>>> modifyAttributes(PartialCompositeDirContext.java:192)
>>>>>
>>>> at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.
>>>>
>>>>> modifyAttributes(PartialCompositeDirContext.java:181)
>>>>>
>>>> at javax.naming.directory.InitialDirContext.modifyAttributes(
>>>>
>>>>> InitialDirContext.java:167)
>>>>>
>>>> at javax.naming.directory.InitialDirContext.modifyAttributes(
>>>>
>>>>> InitialDirContext.java:167)
>>>>>
>>>> at org.keycloak.federation.ldap.idm.store.ldap.
>>>>
>>>>> LDAPOperationManager$6.execute(LDAPOperationManager.java:405)
>>>>>
>>>> at org.keycloak.federation.ldap.idm.store.ldap.
>>>>
>>>>> LDAPOperationManager$6.execute(LDAPOperationManager.java:402)
>>>>>
>>>> at org.keycloak.federation.ldap.idm.store.ldap.
>>>>
>>>>> LDAPOperationManager.execute(LDAPOperationManager.java:535)
>>>>>
>>>> at org.keycloak.federation.ldap.i
>>>> dm.store.ldap.LDAPOperationManager.
>>>>
>>>>> modifyAttributes(LDAPOperationManager.java:402)
>>>>>
>>>> ... 59 more
>>>>
>>>> 2017-03-08 11:05:28,865 WARN [org.keycloak.events] (default task-6)
>>>>
>>>>> type=LOGIN_ERROR, realmId=myrealm, clientId=teste-portal, userId=null,
>>>>> ipAddress=xxx.xxx.xxx.xxx, error=invalid_user_credentials,
>>>>> auth_method=openid-connect, auth_type=code, redirect_uri=
>>>>> http://127.0.0.1:
>>>>> 8080/teste-portal/
>>>>>
>>>>
>>>> and then, I got this result in my ldap:
>>>>
>>>> dn: uid=11111111111,dc=zz,dc=dd,dc=aa
>>>>
>>>> givenName:: IA==
>>>>
>>>> uid: 11111111111
>>>>
>>>> objectClass: top
>>>>
>>>> objectClass: inetOrgPerson
>>>>
>>>> objectClass: person
>>>>
>>>> objectClass: organizationalPerson
>>>>
>>>> objectClass: phpgwAccount
>>>>
>>>> objectClass: shadowAccount
>>>>
>>>> sn:: IA==
>>>>
>>>> cn:: IA==
>>>>
>>>> structuralObjectClass: inetOrgPerson
>>>>
>>>> entryUUID: 07f0e7caxxxxxxxxxxx
>>>>
>>>> creatorsName: cn=admin,dc=zz,dc=dd,dc=aa
>>>>
>>>> createTimestamp: 20170308140529Z
>>>>
>>>> entryCSN: 20170308140529.527857Z#000000#000#000000
>>>>
>>>> modifiersName: cn=admin,dc=zz,dc=dd,dc=aa
>>>>
>>>> modifyTimestamp: 20170308140529Z
>>>>
>>>>
>>>> So, I wrote the uid as 11111111111, but I didn't set the sn, cn and
>>>> givenName as 'IA=='. It looks like some problem occurs in my
>>>> configuration.
>>>>
>>>> please, need help!!
>>>>
>>>>
>>>> Best Regards,
>>>>
>>>>
>>>
>>
>>
>> --
>> ---
>> *Celso Agra*
>>
>
>
>
> --
> ---
> *Celso Agra*
>
>
>
--
---
*Celso Agra*
More information about the keycloak-user
mailing list