[keycloak-user] LDAP user federation with AD range retrieval

Sidney Beekhoven - INFO sidney.beekhoven at info.nl
Tue Jun 4 11:19:31 EDT 2019 

Hi Aaron,

I created ticket https://issues.jboss.org/browse/KEYCLOAK-8525 back then. That one was closed because there were some other tickets which would hopefully resolve this issue. In the meantime in version 6 some of those other tickets were solved and for us it solves the issue with AD range retrieval.

Regards,

Sidney Beekhoven


This looks to be an issue still in in 5.0.0. Did you end up creating ticket
for this? I had to do the same workaround for a similar issue I'm having
with larger groups not syncing from AD > Keycloak. Raising the MaxValRange
allowed that group to sync as well.
--
Aaron Echols

On Tue, Oct 9, 2018 at 4:32 AM Sidney Beekhoven <sidney.beekhoven at info.nl<https://lists.jboss.org/mailman/listinfo/keycloak-user>>
wrote:

> Hello,
>
> We have a keycloak setup (3.4.3.Final) with active directory as a user
> federation provider. We ran into an issue with adding a certain role to
> users. We got an error message like this:
>
> Uncaught server error: org.keycloak.models.ModelException: Could not
> modify attribute for DN
> [CN=xxxxxxx,OU=Roles,OU=Customers,DC=xxxxxxxx,DC=com]
>  at
> org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.modifyAttributes(LDAPOperationManager.java:569)
>  at
> org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.modifyAttributes(LDAPOperationManager.java:110)
>  at
> org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.update(LDAPIdentityStore.java:112)
>  at org.keycloak.storage.ldap.LDAPUtils.addMember(LDAPUtils.java:181)
>  at
> org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapper.addRoleMappingInLDAP(RoleLDAPStorageMapper.java:262)
>  at
> org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapper$LDAPRoleMappingsUserDelegate.grantRole(RoleLDAPStorageMapper.java:380)
>  at
> org.keycloak.models.cache.infinispan.UserAdapter.grantRole(UserAdapter.java:316)
>  at
> org.keycloak.services.resources.admin.RoleMapperResource.addRealmRoleMappings(RoleMapperResource.java:236)
>> Caused by: javax.naming.directory.NoSuchAttributeException: [LDAP: error
> code 16 - 00000057<tel:16%20-%2000000057>: LdapErr: DSID-0C090C03, comment:
> Error in attribute conversion operation, data 0, v1db1]; remaining name
> ‘CN=xxxxx,OU=Roles,OU=Customers,DC=xxxxxx,DC=com'
>  at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3175)
>  at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100)
>  at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2891)
>  at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1475)
>  at
> com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:277)
>  at
> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:192)
>  at
> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:181)
>  at
> javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:167)
>  at
> javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:167)
>
> After some investigation the issue is that active directory uses range
> retrieval when there are more than 1500 entries in the member (list)
> property of a group. See eg
> https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ldap/searching-using-range-retrieval
> .
> When i look at the keycloak source code it looks like keycloak does not
> handle/support the range retrieval, so an error happens when trying to add
> a user to that role.
>
> For now we work around the issue by setting the MaxValRange to a higher
> value. See
> https://support.microsoft.com/en-us/help/315071/how-to-view-and-set-ldap-policy-in-active-directory-by-using-ntdsutil
> for more info about this.
>
> The real solution would probably be to add support for range retrieval in
> the keycloak ldap user federation provider, so i will create a jira ticket
> for that.
>
> Did anyone else maybe run into this issue, and if so had another solution
> for it?
>
> Kind regards,
> Sidney Beekhoven

More information about the keycloak-user mailing list