Closed
Description
Before reporting an issue
- I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
ldap
Describe the bug
When creating a user in a realm that is federating with an LDAP server, the UI reports an error and error logs can be seen, but the user is actually created and shows up keycloak search.
It is a little strange as the UI gives an idea that the user was not created but that is not true. If I attempt to create the user again, it fails obviously as the user already exists in the LDAP backend.
I believe this is caused due to a clustered OpenLDAP deployment.
I suspect that the failures occur when the query hits replicas that don't yet have the newly created user. Successes should be when the creation and query both hit the same replica.
Logs:
2024-05-02 08:00:32,660 ERROR [org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager] (executor-thread-3) Could not query server using DN [uid=ldapdavid,ou=users,dc=asml,dc=com] and filter [(objectclass=*)]: javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such Object]; remaining name 'uid=ldapdavid,ou=users,dc=asml,dc=com'
at java.naming/com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3285)
at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3206)
at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2997)
at java.naming/com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1875)
at java.naming/com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1798)
at java.naming/com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:392)
at java.naming/com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358)
at java.naming/javax.naming.directory.InitialDirContext.search(InitialDirContext.java:305)
at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager$3.execute(LDAPOperationManager.java:258)
at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager$3.execute(LDAPOperationManager.java:255)
at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:721)
at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:701)
at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:696)
at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.search(LDAPOperationManager.java:255)
at org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.getEntryIdentifier(LDAPIdentityStore.java:611)
at org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.add(LDAPIdentityStore.java:104)
at org.keycloak.storage.ldap.LDAPUtils.lambda$addUserToLDAP$1(LDAPUtils.java:115)
at org.keycloak.storage.ldap.idm.model.LDAPObject.executeConsumerOnMandatoryAttributesComplete(LDAPObject.java:269)
at org.keycloak.storage.ldap.idm.model.LDAPObject.executeOnMandatoryAttributesComplete(LDAPObject.java:82)
at org.keycloak.storage.ldap.LDAPUtils.addUserToLDAP(LDAPUtils.java:113)
at org.keycloak.storage.ldap.LDAPStorageProvider.addUser(LDAPStorageProvider.java:320)
at org.keycloak.storage.UserStorageManager.lambda$addUser$16(UserStorageManager.java:329)
at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197)
at java.base/java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:179)
at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197)
at java.base/java.util.stream.SortedOps$RefSortingSink.end(SortedOps.java:400)
at java.base/java.util.stream.Sink$ChainedReference.end(Sink.java:258)
at java.base/java.util.stream.Sink$ChainedReference.end(Sink.java:258)
at java.base/java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:528)
at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:513)
at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499)
at java.base/java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:150)
at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.base/java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:647)
at org.keycloak.storage.UserStorageManager.addUser(UserStorageManager.java:331)
at org.keycloak.models.cache.infinispan.UserCacheSession.addUser(UserCacheSession.java:810)
at org.keycloak.userprofile.DeclarativeUserProfileProvider$1.apply(DeclarativeUserProfileProvider.java:162)
at org.keycloak.userprofile.DeclarativeUserProfileProvider$1.apply(DeclarativeUserProfileProvider.java:149)
at org.keycloak.userprofile.DefaultUserProfile.create(DefaultUserProfile.java:96)
at org.keycloak.services.resources.admin.UsersResource.createUser(UsersResource.java:146)
at org.keycloak.services.resources.admin.UsersResource$quarkusrestinvoker$createUser_49ad02a153eab6ba1571548b97a4fecbdc7a7465.invoke(Unknown Source)
at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:141)
at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:582)
at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2513)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1538)
at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.base/java.lang.Thread.run(Thread.java:840)
2024-05-02 08:00:32,664 WARN [org.keycloak.services.resources.admin.UsersResource] (executor-thread-3) Could not create user: org.keycloak.models.ModelException: Could not retrieve identifier for entry [uid=ldapdavid,ou=users,dc=asml,dc=com].
at org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.getEntryIdentifier(LDAPIdentityStore.java:622)
at org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.add(LDAPIdentityStore.java:104)
at org.keycloak.storage.ldap.LDAPUtils.lambda$addUserToLDAP$1(LDAPUtils.java:115)
at org.keycloak.storage.ldap.idm.model.LDAPObject.executeConsumerOnMandatoryAttributesComplete(LDAPObject.java:269)
at org.keycloak.storage.ldap.idm.model.LDAPObject.executeOnMandatoryAttributesComplete(LDAPObject.java:82)
at org.keycloak.storage.ldap.LDAPUtils.addUserToLDAP(LDAPUtils.java:113)
at org.keycloak.storage.ldap.LDAPStorageProvider.addUser(LDAPStorageProvider.java:320)
at org.keycloak.storage.UserStorageManager.lambda$addUser$16(UserStorageManager.java:329)
at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197)
at java.base/java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:179)
at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197)
at java.base/java.util.stream.SortedOps$RefSortingSink.end(SortedOps.java:400)
at java.base/java.util.stream.Sink$ChainedReference.end(Sink.java:258)
at java.base/java.util.stream.Sink$ChainedReference.end(Sink.java:258)
at java.base/java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:528)
at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:513)
at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499)
at java.base/java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:150)
at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.base/java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:647)
at org.keycloak.storage.UserStorageManager.addUser(UserStorageManager.java:331)
at org.keycloak.models.cache.infinispan.UserCacheSession.addUser(UserCacheSession.java:810)
at org.keycloak.userprofile.DeclarativeUserProfileProvider$1.apply(DeclarativeUserProfileProvider.java:162)
at org.keycloak.userprofile.DeclarativeUserProfileProvider$1.apply(DeclarativeUserProfileProvider.java:149)
at org.keycloak.userprofile.DefaultUserProfile.create(DefaultUserProfile.java:96)
at org.keycloak.services.resources.admin.UsersResource.createUser(UsersResource.java:146)
at org.keycloak.services.resources.admin.UsersResource$quarkusrestinvoker$createUser_49ad02a153eab6ba1571548b97a4fecbdc7a7465.invoke(Unknown Source)
at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:141)
at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:582)
at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2513)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1538)
at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.base/java.lang.Thread.run(Thread.java:840)
Version
24.0.3
Regression
- The issue is a regression
Expected behavior
UI and logs show no errors when creating a user in a realm with LDAP federation.
User is created.
Actual behavior
UI and logs show errors when creating a user in a realm with LDAP federation.
User is created.
How to Reproduce?
Kubernetes:
Deploy keycloak in cluster mode with operator. Set 3 instances e.g.
Deploy OpenLDAP in cluster mode with openldap-stack-ha chart. Set 3 instances e.g.
Create realm and federate with OpenLDAP.
Try to create some users. Some will fail, some will succeed. I suspect that the failures are when the query hits replicas that don't yet have the newly created user. Successes should be when the creation and query both hit the same replica.
Anything else?
No response