[keycloak-user] LDAP user federation with AD range retrieval
Aaron Echols
aechols at bfcsaz.com
Thu May 23 12:53:27 EDT 2019
This looks to be an issue still in in 5.0.0. Did you end up creating ticket
for this? I had to do the same workaround for a similar issue I'm having
with larger groups not syncing from AD > Keycloak. Raising the MaxValRange
allowed that group to sync as well.
--
Aaron Echols
On Tue, Oct 9, 2018 at 4:32 AM Sidney Beekhoven <sidney.beekhoven at info.nl>
wrote:
> Hello,
>
> We have a keycloak setup (3.4.3.Final) with active directory as a user
> federation provider. We ran into an issue with adding a certain role to
> users. We got an error message like this:
>
> Uncaught server error: org.keycloak.models.ModelException: Could not
> modify attribute for DN
> [CN=xxxxxxx,OU=Roles,OU=Customers,DC=xxxxxxxx,DC=com]
> at
> org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.modifyAttributes(LDAPOperationManager.java:569)
> at
> org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.modifyAttributes(LDAPOperationManager.java:110)
> at
> org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.update(LDAPIdentityStore.java:112)
> at org.keycloak.storage.ldap.LDAPUtils.addMember(LDAPUtils.java:181)
> at
> org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapper.addRoleMappingInLDAP(RoleLDAPStorageMapper.java:262)
> at
> org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapper$LDAPRoleMappingsUserDelegate.grantRole(RoleLDAPStorageMapper.java:380)
> at
> org.keycloak.models.cache.infinispan.UserAdapter.grantRole(UserAdapter.java:316)
> at
> org.keycloak.services.resources.admin.RoleMapperResource.addRealmRoleMappings(RoleMapperResource.java:236)
> …
> Caused by: javax.naming.directory.NoSuchAttributeException: [LDAP: error
> code 16 - 00000057<tel:16%20-%2000000057>: LdapErr: DSID-0C090C03, comment:
> Error in attribute conversion operation, data 0, v1db1]; remaining name
> ‘CN=xxxxx,OU=Roles,OU=Customers,DC=xxxxxx,DC=com'
> at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3175)
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100)
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2891)
> at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1475)
> at
> com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:277)
> at
> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:192)
> at
> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:181)
> at
> javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:167)
> at
> javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:167)
>
> After some investigation the issue is that active directory uses range
> retrieval when there are more than 1500 entries in the member (list)
> property of a group. See eg
> https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ldap/searching-using-range-retrieval
> .
> When i look at the keycloak source code it looks like keycloak does not
> handle/support the range retrieval, so an error happens when trying to add
> a user to that role.
>
> For now we work around the issue by setting the MaxValRange to a higher
> value. See
> https://support.microsoft.com/en-us/help/315071/how-to-view-and-set-ldap-policy-in-active-directory-by-using-ntdsutil
> for more info about this.
>
> The real solution would probably be to add support for range retrieval in
> the keycloak ldap user federation provider, so i will create a jira ticket
> for that.
>
> Did anyone else maybe run into this issue, and if so had another solution
> for it?
>
> Kind regards,
> Sidney Beekhoven
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list