[keycloak-user] LDAP user federation with AD range retrieval
Sidney Beekhoven
sidney.beekhoven at info.nl
Tue Oct 9 07:30:39 EDT 2018
Hello,
We have a keycloak setup (3.4.3.Final) with active directory as a user federation provider. We ran into an issue with adding a certain role to users. We got an error message like this:
Uncaught server error: org.keycloak.models.ModelException: Could not modify attribute for DN [CN=xxxxxxx,OU=Roles,OU=Customers,DC=xxxxxxxx,DC=com]
at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.modifyAttributes(LDAPOperationManager.java:569)
at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.modifyAttributes(LDAPOperationManager.java:110)
at org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.update(LDAPIdentityStore.java:112)
at org.keycloak.storage.ldap.LDAPUtils.addMember(LDAPUtils.java:181)
at org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapper.addRoleMappingInLDAP(RoleLDAPStorageMapper.java:262)
at org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapper$LDAPRoleMappingsUserDelegate.grantRole(RoleLDAPStorageMapper.java:380)
at org.keycloak.models.cache.infinispan.UserAdapter.grantRole(UserAdapter.java:316)
at org.keycloak.services.resources.admin.RoleMapperResource.addRealmRoleMappings(RoleMapperResource.java:236)
…
Caused by: javax.naming.directory.NoSuchAttributeException: [LDAP: error code 16 - 00000057<tel:16%20-%2000000057>: LdapErr: DSID-0C090C03, comment: Error in attribute conversion operation, data 0, v1db1]; remaining name ‘CN=xxxxx,OU=Roles,OU=Customers,DC=xxxxxx,DC=com'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3175)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2891)
at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1475)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:277)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:192)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:181)
at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:167)
at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:167)
After some investigation the issue is that active directory uses range retrieval when there are more than 1500 entries in the member (list) property of a group. See eg https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ldap/searching-using-range-retrieval.
When i look at the keycloak source code it looks like keycloak does not handle/support the range retrieval, so an error happens when trying to add a user to that role.
For now we work around the issue by setting the MaxValRange to a higher value. See https://support.microsoft.com/en-us/help/315071/how-to-view-and-set-ldap-policy-in-active-directory-by-using-ntdsutil for more info about this.
The real solution would probably be to add support for range retrieval in the keycloak ldap user federation provider, so i will create a jira ticket for that.
Did anyone else maybe run into this issue, and if so had another solution for it?
Kind regards,
Sidney Beekhoven
More information about the keycloak-user
mailing list