[keycloak-user] LDAP user federation with AD range retrieval

Aaron Echols aechols at bfcsaz.com
Thu May 23 19:57:21 EDT 2019 

So does anyone have any ideas on this? It shows users in the groups, if I
check the user it doesn't show they are members...

kcadm.sh get users/uid/groups -r realm
[ ]

The WebUi shows them in this group, but none of the users show associated
with the group when I view them or use kcadm.sh to check their group
membership.

Starting to pull my hair out haha!
--
Aaron Echols

On Thu, May 23, 2019 at 4:43 PM Aaron Echols <aechols at bfcsaz.com> wrote:

> BTW, I have 3500 users in my group, it's still not syncing entirely. Since
> I can't seem to actually figure out a way (even using kcadm.sh) to list out
> the number of users in the Keycloak group, it's making it harder to see if
> it another value that needs to be adjusted in Active Directory or something
> on Keycloak's side. It's such a pain.
> --
> Aaron Echols
>
> On Thu, May 23, 2019 at 9:53 AM Aaron Echols <aechols at bfcsaz.com> wrote:
>
>> This looks to be an issue still in in 5.0.0. Did you end up creating
>> ticket for this? I had to do the same workaround for a similar issue I'm
>> having with larger groups not syncing from AD > Keycloak. Raising
>> the MaxValRange allowed that group to sync as well.
>> --
>> Aaron Echols
>>
>> On Tue, Oct 9, 2018 at 4:32 AM Sidney Beekhoven <sidney.beekhoven at info.nl>
>> wrote:
>>
>>> Hello,
>>>
>>> We have a keycloak setup (3.4.3.Final) with active directory as a user
>>> federation provider. We ran into an issue with adding a certain role to
>>> users. We got an error message like this:
>>>
>>> Uncaught server error: org.keycloak.models.ModelException: Could not
>>> modify attribute for DN
>>> [CN=xxxxxxx,OU=Roles,OU=Customers,DC=xxxxxxxx,DC=com]
>>>  at
>>> org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.modifyAttributes(LDAPOperationManager.java:569)
>>>  at
>>> org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.modifyAttributes(LDAPOperationManager.java:110)
>>>  at
>>> org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.update(LDAPIdentityStore.java:112)
>>>  at org.keycloak.storage.ldap.LDAPUtils.addMember(LDAPUtils.java:181)
>>>  at
>>> org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapper.addRoleMappingInLDAP(RoleLDAPStorageMapper.java:262)
>>>  at
>>> org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapper$LDAPRoleMappingsUserDelegate.grantRole(RoleLDAPStorageMapper.java:380)
>>>  at
>>> org.keycloak.models.cache.infinispan.UserAdapter.grantRole(UserAdapter.java:316)
>>>  at
>>> org.keycloak.services.resources.admin.RoleMapperResource.addRealmRoleMappings(RoleMapperResource.java:236)
>>>>>> Caused by: javax.naming.directory.NoSuchAttributeException: [LDAP: error
>>> code 16 - 00000057<tel:16%20-%2000000057>: LdapErr: DSID-0C090C03, comment:
>>> Error in attribute conversion operation, data 0, v1db1]; remaining name
>>> ‘CN=xxxxx,OU=Roles,OU=Customers,DC=xxxxxx,DC=com'
>>>  at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3175)
>>>  at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100)
>>>  at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2891)
>>>  at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1475)
>>>  at
>>> com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:277)
>>>  at
>>> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:192)
>>>  at
>>> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:181)
>>>  at
>>> javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:167)
>>>  at
>>> javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:167)
>>>
>>> After some investigation the issue is that active directory uses range
>>> retrieval when there are more than 1500 entries in the member (list)
>>> property of a group. See eg
>>> https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ldap/searching-using-range-retrieval
>>> .
>>> When i look at the keycloak source code it looks like keycloak does not
>>> handle/support the range retrieval, so an error happens when trying to add
>>> a user to that role.
>>>
>>> For now we work around the issue by setting the MaxValRange to a higher
>>> value. See
>>> https://support.microsoft.com/en-us/help/315071/how-to-view-and-set-ldap-policy-in-active-directory-by-using-ntdsutil
>>> for more info about this.
>>>
>>> The real solution would probably be to add support for range retrieval
>>> in the keycloak ldap user federation provider, so i will create a jira
>>> ticket for that.
>>>
>>> Did anyone else maybe run into this issue, and if so had another
>>> solution for it?
>>>
>>> Kind regards,
>>> Sidney Beekhoven
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>

More information about the keycloak-user mailing list