[keycloak-user] LDAP user federation with AD range retrieval

Fri May 24 13:52:17 EDT 2019

So I have a partial workaround, I have different OU's for my groups for IT
and for Users. I added multiple group mappers to handle the different OU's,
so I didn't suck all groups in Keycloak. The one that was pulling in the
large group wasn't working right. It would pull in the groups, but it
wouldn't populate the users correctly, while the group mapper for the IT OU
was populating correctly.

TLDR; it seems you can't have more than one group mapper per user
federation for Active Directory.

Not sure if it's a bug or not...
--
Aaron Echols

On Thu, May 23, 2019 at 4:57 PM Aaron Echols <aechols at bfcsaz.com> wrote:

> So does anyone have any ideas on this? It shows users in the groups, if I
> check the user it doesn't show they are members...
>
> kcadm.sh get users/uid/groups -r realm
> [ ]
>
> The WebUi shows them in this group, but none of the users show associated
> with the group when I view them or use kcadm.sh to check their group
> membership.
>
> Starting to pull my hair out haha!
> --
> Aaron Echols
>
> On Thu, May 23, 2019 at 4:43 PM Aaron Echols <aechols at bfcsaz.com> wrote:
>
>> BTW, I have 3500 users in my group, it's still not syncing entirely.
>> Since I can't seem to actually figure out a way (even using kcadm.sh) to
>> list out the number of users in the Keycloak group, it's making it harder
>> to see if it another value that needs to be adjusted in Active Directory or
>> something on Keycloak's side. It's such a pain.
>> --
>> Aaron Echols
>>
>> On Thu, May 23, 2019 at 9:53 AM Aaron Echols <aechols at bfcsaz.com> wrote:
>>
>>> This looks to be an issue still in in 5.0.0. Did you end up creating
>>> ticket for this? I had to do the same workaround for a similar issue I'm
>>> having with larger groups not syncing from AD > Keycloak. Raising
>>> the MaxValRange allowed that group to sync as well.
>>> --
>>> Aaron Echols
>>>
>>> On Tue, Oct 9, 2018 at 4:32 AM Sidney Beekhoven <
>>> sidney.beekhoven at info.nl> wrote:
>>>
>>>> Hello,
>>>>
>>>> We have a keycloak setup (3.4.3.Final) with active directory as a user
>>>> federation provider. We ran into an issue with adding a certain role to
>>>> users. We got an error message like this:
>>>>
>>>> Uncaught server error: org.keycloak.models.ModelException: Could not
>>>> modify attribute for DN
>>>> [CN=xxxxxxx,OU=Roles,OU=Customers,DC=xxxxxxxx,DC=com]
>>>>  at
>>>> org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.modifyAttributes(LDAPOperationManager.java:569)
>>>>  at
>>>> org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.modifyAttributes(LDAPOperationManager.java:110)
>>>>  at
>>>> org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.update(LDAPIdentityStore.java:112)
>>>>  at org.keycloak.storage.ldap.LDAPUtils.addMember(LDAPUtils.java:181)
>>>>  at
>>>> org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapper.addRoleMappingInLDAP(RoleLDAPStorageMapper.java:262)
>>>>  at
>>>> org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapper$LDAPRoleMappingsUserDelegate.grantRole(RoleLDAPStorageMapper.java:380)
>>>>  at
>>>> org.keycloak.models.cache.infinispan.UserAdapter.grantRole(UserAdapter.java:316)
>>>>  at
>>>> org.keycloak.services.resources.admin.RoleMapperResource.addRealmRoleMappings(RoleMapperResource.java:236)
>>>> …
>>>> Caused by: javax.naming.directory.NoSuchAttributeException: [LDAP:
>>>> error code 16 - 00000057<tel:16%20-%2000000057>: LdapErr: DSID-0C090C03,
>>>> comment: Error in attribute conversion operation, data 0, v1db1]; remaining
>>>> name ‘CN=xxxxx,OU=Roles,OU=Customers,DC=xxxxxx,DC=com'
>>>>  at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3175)
>>>>  at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100)
>>>>  at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2891)
>>>>  at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1475)
>>>>  at
>>>> com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:277)
>>>>  at
>>>> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:192)
>>>>  at
>>>> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:181)
>>>>  at
>>>> javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:167)
>>>>  at
>>>> javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:167)
>>>>
>>>> After some investigation the issue is that active directory uses range
>>>> retrieval when there are more than 1500 entries in the member (list)
>>>> property of a group. See eg
>>>> https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ldap/searching-using-range-retrieval
>>>> .
>>>> When i look at the keycloak source code it looks like keycloak does not
>>>> handle/support the range retrieval, so an error happens when trying to add
>>>> a user to that role.
>>>>
>>>> For now we work around the issue by setting the MaxValRange to a higher
>>>> value. See
>>>> https://support.microsoft.com/en-us/help/315071/how-to-view-and-set-ldap-policy-in-active-directory-by-using-ntdsutil
>>>> for more info about this.
>>>>
>>>> The real solution would probably be to add support for range retrieval
>>>> in the keycloak ldap user federation provider, so i will create a jira
>>>> ticket for that.
>>>>
>>>> Did anyone else maybe run into this issue, and if so had another
>>>> solution for it?
>>>>
>>>> Kind regards,
>>>> Sidney Beekhoven
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>