Error when writing user from Keycloak to LDAP #35002

aadamovicienc · 2024-11-15T16:07:03Z

aadamovicienc
Nov 15, 2024

Hello,

I have a Keycloak 26.0.5 server deployed that is linked to a google IdP and federated with an Active Directory environment.

If I create a user in Keycloak UI, the user gets written into LDAP.

If I login into a client using the IdP, it does not create the user in AD and fails with the following error:

KC-SERVICES0013: Failed authentication: java.lang.NullPointerException: Cannot invoke "org.keycloak.storage.ldap.idm.model.LDAPDn.toString()" because the return value of "org.keycloak.storage.ldap.idm.model.LDAPObject.getDn()" is null
at org.keycloak.storage.ldap.mappers.msad.MSADUserAccountControlStorageMapper$MSADUserModelDelegate.setEnabled(MSADUserAccountControlStorageMapper.java:252)
at org.keycloak.authentication.authenticators.broker.IdpCreateUserIfUniqueAuthenticator.authenticateImpl(IdpCreateUserIfUniqueAuthenticator.java:87)
at org.keycloak.authentication.authenticators.broker.AbstractIdpAuthenticator.authenticate(AbstractIdpAuthenticator.java:76)
at org.keycloak.authentication.DefaultAuthenticationFlow.processSingleFlowExecutionModel(DefaultAuthenticationFlow.java:465)
at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:291)
at org.keycloak.authentication.DefaultAuthenticationFlow.processSingleFlowExecutionModel(DefaultAuthenticationFlow.java:400)
at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:269)
at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:1074)
at org.keycloak.services.resources.LoginActionsService$1.authenticateOnly(LoginActionsService.java:919)
at org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:912)
at org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:380)
at org.keycloak.services.resources.LoginActionsService.brokerLoginFlow(LoginActionsService.java:951)
at org.keycloak.services.resources.LoginActionsService.firstBrokerLoginGet(LoginActionsService.java:823)
at org.keycloak.services.resources.LoginActionsService$quarkusrestinvoker$firstBrokerLoginGet_4319965f5ab7d0aadd2e5b5f2cde702e4aaaf535.invoke(Unknown Source)
at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:141)
at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:635)
at org.jboss.threads.EnhancedQueueExecutor$Task.doRunWith(EnhancedQueueExecutor.java:2516)
at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2495)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1521)
at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:11)
at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:11)
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.base/java.lang.Thread.run(Thread.java:1583)

This is working in my development environment with Keycloak version 25.0.6.

Can anyone help me understand why it's failing?

github-user-deepanshu · 2024-11-16T17:17:50Z

github-user-deepanshu
Nov 16, 2024

hey,
flow this steps.

Go to the Keycloak Admin Console.
Navigate to User Federation > LDAP > Mappers.
Check the mappers responsible for fetching LDAP user attributes (including DN) and ensure they are configured correctly.

0 replies

aadamovicienc · 2024-11-17T09:43:07Z

aadamovicienc
Nov 17, 2024
Author

Hello,

All the mappers are configured the same as the development environment where I don't have the issue. Most of the mappers are defaulted, it's just the MSAD and username mappers that I have changed. MSAD has checkboxes unchecked and the username mapper uses email instead of cn.

0 replies

OstenTV · 2025-02-13T15:00:45Z

OstenTV
Feb 13, 2025

Did you find a solution to this yet? I have the same problem here.
I tried to change the MSAD mapper password hint, but did not fix it.
Edit mode: WRITABLE
Username LDAP attribute: sAMAccountName
RDN LDAP attribute: CN
UUID LDAP attribute: objectGUID
User object classes: person, organizationalPerson, user
Sync Registrations: On
Mappers are stock configuration. I did try to add harcoded password attribute as sugested by the help box of Enable the LDAPv3 password modify extended operation. This did not work.

1 reply

aadamovicienc Feb 13, 2025
Author

No, didn't find a solution. I just reverted to the previous version that was working fine.

LividSquid · 2025-02-27T16:50:47Z

LividSquid
Feb 27, 2025

I believe we're running into a similar issue on 26.1.2. When we create a user in the UI, the user does get created, but we're met with an error and the user is not fully configured. We see the following in the logs:

2025-02-26 22:07:50,540 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-31) Uncaught server error: org.keycloak.models.ModelException: Could not modify attribute for DN [<dn redacted>]
--
at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.modifyAttributes(LDAPOperationManager.java:604)
at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.modifyAttributes(LDAPOperationManager.java:115)
at org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.update(LDAPIdentityStore.java:155)
at org.keycloak.storage.ldap.mappers.LDAPTransaction.commitImpl(LDAPTransaction.java:59)
at org.keycloak.models.AbstractKeycloakTransaction.commit(AbstractKeycloakTransaction.java:46)
at org.keycloak.services.DefaultKeycloakTransactionManager.lambda$commitWithTracing$0(DefaultKeycloakTransactionManager.java:169)
at org.keycloak.tracing.NoopTracingProvider.trace(NoopTracingProvider.java:59)
at org.keycloak.tracing.NoopTracingProvider.trace(NoopTracingProvider.java:69)
at org.keycloak.services.DefaultKeycloakTransactionManager.commitWithTracing(DefaultKeycloakTransactionManager.java:168)
at org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:146)
at org.keycloak.services.DefaultKeycloakSession.closeTransactionManager(DefaultKeycloakSession.java:396)
at org.keycloak.services.DefaultKeycloakSession.close(DefaultKeycloakSession.java:361)
at org.keycloak.models.KeycloakBeanProducer_ProducerMethod_getKeycloakSession_XoSEUTXOsE3bpqXlGMAykCiECUM_ClientProxy.close(Unknown Source)
at org.keycloak.quarkus.runtime.transaction.TransactionalSessionHandler.close(TransactionalSessionHandler.java:60)
at org.keycloak.quarkus.runtime.integration.jaxrs.CloseSessionFilter.closeSession(CloseSessionFilter.java:67)
at org.keycloak.quarkus.runtime.integration.jaxrs.CloseSessionFilter.filter(CloseSessionFilter.java:63)
at org.jboss.resteasy.reactive.server.handlers.ResourceResponseFilterHandler.handle(ResourceResponseFilterHandler.java:25)
at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:150)
at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:635)
at org.jboss.threads.EnhancedQueueExecutor$Task.doRunWith(EnhancedQueueExecutor.java:2516)
at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2495)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1521)
at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:11)
at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:11)
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.base/java.lang.Thread.run(Thread.java:1583)
Caused by: javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 0000052D: SvcErr: DSID-031A124C, problem 5003 (WILL_NOT_PERFORM), data 0
]; remaining name '<dn redacted>'
at java.naming/com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3333)
at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3206)
at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2997)
at java.naming/com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1505)
at java.naming/com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:277)
at java.naming/com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:192)
at java.naming/javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:213)
at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager$6.execute(LDAPOperationManager.java:585)
at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager$6.execute(LDAPOperationManager.java:581)
at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:742)
at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:714)
at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.modifyAttributesNaming(LDAPOperationManager.java:581)
at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.modifyAttributes(LDAPOperationManager.java:602)
... 26 more

Most search results suggest that LDAP: error code 53 - 0000052D is a password-related issue, however after doing some digging and enabling trace logging, I noticed these log messages:

2025-02-26 22:07:50,509 DEBUG [org.keycloak.storage.ldap.mappers.msad.MSADUserAccountControlStorageMapper] (executor-thread-31) Going to propagate enabled=true for ldapUser '<dn redacted>' to MSAD
--
2025-02-26 22:07:50,509 DEBUG [org.keycloak.storage.ldap.mappers.msad.MSADUserAccountControlStorageMapper] (executor-thread-31) Updating userAccountControl of user '<dn redacted>' to value '0'. Realm is '<realm>'

The MSADUserAccountControlStorageMapper is trying to write a userAccountControl value of 0, which is not a valid value. I suspect this is because setEnabled has been recently modified to write to AD immediately in #34470. My suspicion is that ldapUser does not get updated with values from AD after creation. So any values are just what Keycloak knows about (no value for dn in your case and none for userAccountControl in mine). I think pulling the user from AD before trying to perform any update actions on it may do the trick to fix both of our issues.

I'm going to try to find the time to debug this, but I'm commenting here in the hopes that someone who's already familiar with the codebase and setup to test can do so as well.

Edit: I just found #29206 which refers to some consistency issues when using clustered OpenLDAP. We're using a multi-DC AD, as well, and according to Microsoft, AD-DS uses a multi-master loose consistency with convergence replication model. Now I'm wondering if, perhaps, createSubcontext should return the entire context/object, rather than just the UUID. Again, hoping someone who's actually familiar with the codebase can provide insight.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Error when writing user from Keycloak to LDAP #35002

Uh oh!

{{title}}

Uh oh!

Replies: 4 comments 1 reply

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Select a reply

Uh oh!

Error when writing user from Keycloak to LDAP #35002

Uh oh!

aadamovicienc Nov 15, 2024

Replies: 4 comments · 1 reply

Uh oh!

github-user-deepanshu Nov 16, 2024

Uh oh!

aadamovicienc Nov 17, 2024 Author

Uh oh!

OstenTV Feb 13, 2025

Uh oh!

aadamovicienc Feb 13, 2025 Author

Uh oh!

Uh oh!

LividSquid Feb 27, 2025

aadamovicienc
Nov 15, 2024

Replies: 4 comments 1 reply

github-user-deepanshu
Nov 16, 2024

aadamovicienc
Nov 17, 2024
Author

OstenTV
Feb 13, 2025

aadamovicienc Feb 13, 2025
Author

LividSquid
Feb 27, 2025