[keycloak-user] LDAP user federation with AD range retrieval

Aaron Echols aechols at bfcsaz.com
Thu May 23 19:43:31 EDT 2019 

BTW, I have 3500 users in my group, it's still not syncing entirely. Since
I can't seem to actually figure out a way (even using kcadm.sh) to list out
the number of users in the Keycloak group, it's making it harder to see if
it another value that needs to be adjusted in Active Directory or something
on Keycloak's side. It's such a pain.
--
Aaron Echols

On Thu, May 23, 2019 at 9:53 AM Aaron Echols <aechols at bfcsaz.com> wrote:

> This looks to be an issue still in in 5.0.0. Did you end up creating
> ticket for this? I had to do the same workaround for a similar issue I'm
> having with larger groups not syncing from AD > Keycloak. Raising
> the MaxValRange allowed that group to sync as well.
> --
> Aaron Echols
>
> On Tue, Oct 9, 2018 at 4:32 AM Sidney Beekhoven <sidney.beekhoven at info.nl>
> wrote:
>
>> Hello,
>>
>> We have a keycloak setup (3.4.3.Final) with active directory as a user
>> federation provider. We ran into an issue with adding a certain role to
>> users. We got an error message like this:
>>
>> Uncaught server error: org.keycloak.models.ModelException: Could not
>> modify attribute for DN
>> [CN=xxxxxxx,OU=Roles,OU=Customers,DC=xxxxxxxx,DC=com]
>>  at
>> org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.modifyAttributes(LDAPOperationManager.java:569)
>>  at
>> org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.modifyAttributes(LDAPOperationManager.java:110)
>>  at
>> org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.update(LDAPIdentityStore.java:112)
>>  at org.keycloak.storage.ldap.LDAPUtils.addMember(LDAPUtils.java:181)
>>  at
>> org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapper.addRoleMappingInLDAP(RoleLDAPStorageMapper.java:262)
>>  at
>> org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapper$LDAPRoleMappingsUserDelegate.grantRole(RoleLDAPStorageMapper.java:380)
>>  at
>> org.keycloak.models.cache.infinispan.UserAdapter.grantRole(UserAdapter.java:316)
>>  at
>> org.keycloak.services.resources.admin.RoleMapperResource.addRealmRoleMappings(RoleMapperResource.java:236)
>>>> Caused by: javax.naming.directory.NoSuchAttributeException: [LDAP: error
>> code 16 - 00000057<tel:16%20-%2000000057>: LdapErr: DSID-0C090C03, comment:
>> Error in attribute conversion operation, data 0, v1db1]; remaining name
>> ‘CN=xxxxx,OU=Roles,OU=Customers,DC=xxxxxx,DC=com'
>>  at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3175)
>>  at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100)
>>  at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2891)
>>  at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1475)
>>  at
>> com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:277)
>>  at
>> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:192)
>>  at
>> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:181)
>>  at
>> javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:167)
>>  at
>> javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:167)
>>
>> After some investigation the issue is that active directory uses range
>> retrieval when there are more than 1500 entries in the member (list)
>> property of a group. See eg
>> https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ldap/searching-using-range-retrieval
>> .
>> When i look at the keycloak source code it looks like keycloak does not
>> handle/support the range retrieval, so an error happens when trying to add
>> a user to that role.
>>
>> For now we work around the issue by setting the MaxValRange to a higher
>> value. See
>> https://support.microsoft.com/en-us/help/315071/how-to-view-and-set-ldap-policy-in-active-directory-by-using-ntdsutil
>> for more info about this.
>>
>> The real solution would probably be to add support for range retrieval in
>> the keycloak ldap user federation provider, so i will create a jira ticket
>> for that.
>>
>> Did anyone else maybe run into this issue, and if so had another solution
>> for it?
>>
>> Kind regards,
>> Sidney Beekhoven
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

More information about the keycloak-user mailing list