-
Notifications
You must be signed in to change notification settings - Fork 6.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Registering user fails using LDAP Federation #30831
Comments
Changed version to 25.0.1 (quay.io/keycloak/keycloak:25.0.1), exact same issue occurs at the exact same place. Attached is the full log from startup. There are a lot of getClientById() errors - but that is a known issue and does not seem to be an issue. I then disabled the User Federation, and ran it again. This time it worked as expected (homeboymike). |
Thanks for confirming this is still an issue in the latest version. We'll try to get this triaged. |
@puggimer I'm trying to understand the problem and it seems it was working on 20 but not in 24. Can you please confirm how it works in 22 or 23? Can you also send the logs for the same problem but when using 20? We could try to compare both 20 and 24 and see where they are behaving differently. One thing that is weird is that the user
And this is because the |
Can you please provide the value of the |
I'm also wondering why you are using the |
@pedroigor Sorry, took a long weekend (with the holiday Thursday in the USA). Yes, it does seem strange to me that it is attempting to remove the old user after changing the CN - my thought was it is a cleanup step in the case that the update left something behind. You are correct that it does not use the new DN and that seems odd - I am wondering if the old DN is cached and it is not recalculating it when the CN changes? I don't have the LDAP_ID of that user as it has been deleted (and recreated) many times with different usernames (but the same emails, as I only have a few accounts to play with, especially when using my CAC (i.e. X509). As for using the CN as the UUID - it is unique so it works. However this configuration is also something I inherited, so I had not looked at changing this at all. I'll look at this, but it requires me to standup a separate OPEN LDAP server to play with. I'm working on getting the version 20 logs - however that is deployed in AWS ECS Fargate, so it is not as simple as a straight docker deployment. |
I'm not able to get logs from the 20.0.4 version due to some unrelated errors (in the software that calls it). |
@puggimer I can not reproduce the error. I'm using exactly the same mappers. I'm not sure what else to investigate. My best guess is that you are using the The fact you are mapping the full name as a |
Thanks for reporting this issue, but there is insufficient information or lack of steps to reproduce. Please provide additional details, otherwise this issue will be automatically closed within 14 days. |
Due to lack of updates in the last 14 days this issue will be automatically closed. |
Before reporting an issue
Area
ldap
Describe the bug
I have a 20.0.4 version of keycloak working with Open LDAP.
Instead of upgrading, I made a new installation using 24.0.4. Everything works fine, until I turn on User Federation with Open LDAP (using the same configuration that is working in 20.0.4).
Users can register with no issue if User Federation is disabled. If User Federation is turned on, the user receives an internal error occured.
Version
24.0.4
Regression
Expected behavior
User should be able to register using LDAP federation (this is working in our 20.0.4 version).
Actual behavior
I have TRACE turned on, and see where the an LDAP entry is created, but it is using the USERNAME field in the CN. It then renames the entry changing the CN to the FullName. Then after calling removeUserLoginFailure on the original CN (i.e. username), it tries to get the user information using the old CN - which now no longer exists. This causes an exception to be thrown:
2024-06-26 16:12:59,501 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-13) Uncaught server error: java.lang.NullPointerException: Cannot invoke "org.keycloak.models.UserModel.getFirstAttribute(String)" because the return value of "org.keycloak.authentication.RequiredActionContext.getUser()" is null
and the user gets a screen showing that an internal error has occurred.
The user IS added to the LDAP server however, and appears to be correct (though they still have to acknowledge the Terms and Conditions).
How to Reproduce?
Enable user federation. User requests access and is granted, and they receive an email with an accept-invite link
https://ardisdev-sso.usaftechconnect.com/invitations/accept-invite/bczjrvrjdhfotvmolmshev1qqrfsoa417uw2qb7aqvzpcngddxuz0vqs3nxy6hfv
This takes them to keycloak to register. Once they hit the Register button, they see a screen with "An internal server error has occurred"
Anything else?
Attached is the TRACE of the full registration session.
kc.log
At line 7410 the CN is changed
At line 752 is a modify operation with the new cn, but then at line 769 is a lookupById, which uses the OLD cn (this is for a removeUserLoginFailure)
This seems to be ok, but then at line 803 it attempts to look up the old CN again, this time failing and giving the user the error.
The ldap entry has been added and is still there however.
The text was updated successfully, but these errors were encountered: