Keycloak 22 does not work with LDAP server

prod-feng · October 28, 2023, 11:11pm

Hi All,

I am now configuring Open Ondemand 3 on my servers, Rocky linux 8. I am installing Keycloak 22, JDK 17. The KC works fine now on itself, I tested with a local user account added through LC GUI.While my setting of User Federation of LDAP does not work at all. When I try to login through Open Demand, it says no user found. I tried to directly to sync the LDAP users for KC, and it did not work either(says 0 user synced, etc).

Did I miss something? Is there a way I can debug it? The error message is not very helpful. Any help is appreciated!

Thanks

Feng

The KC setting is as follwong:

“org.keycloak.storage.UserStorageProvider” : [ {
“id” : “811729e0-887e-4589-82ba-144ae72c35eb”,
“name” : “ldap”,
“providerId” : “ldap”,
“subComponents” : {
“org.keycloak.storage.ldap.mappers.LDAPStorageMapper” : [ {
“id” : “f615204e-ca17-4e04-94a3-c84ace3e626c”,
“name” : “username”,
“providerId” : “user-attribute-ldap-mapper”,
“subComponents” : { },
“config” : {
“ldap.attribute” : [ “cn” ],
“is.mandatory.in.ldap” : [ “true” ],
“read.only” : [ “true” ],
“always.read.value.from.ldap” : [ “false” ],
“user.model.attribute” : [ “username” ]
}
}, {
“id” : “8c80fdb2-bb16-43ff-91c4-c1d9e5c131bc”,
“name” : “last name”,
“providerId” : “user-attribute-ldap-mapper”,
“subComponents” : { },
“config” : {
“ldap.attribute” : [ “sn” ],
“is.mandatory.in.ldap” : [ “true” ],
“always.read.value.from.ldap” : [ “true” ],
“read.only” : [ “true” ],
“user.model.attribute” : [ “lastName” ]
}
}, {
“id” : “8c80fdb2-bb16-43ff-91c4-c1d9e5c131bc”,
“name” : “last name”,
“providerId” : “user-attribute-ldap-mapper”,
“subComponents” : { },
“config” : {
“ldap.attribute” : [ “sn” ],
“is.mandatory.in.ldap” : [ “true” ],
“always.read.value.from.ldap” : [ “true” ],
“read.only” : [ “true” ],
“user.model.attribute” : [ “lastName” ]
}
}, {
“id” : “cd971510-c509-4e91-95f6-9d1971b8ec58”,
“name” : “email”,
“providerId” : “user-attribute-ldap-mapper”,
“subComponents” : { },
“config” : {
“ldap.attribute” : [ “mail” ],
“is.mandatory.in.ldap” : [ “false” ],
“read.only” : [ “true” ],
“always.read.value.from.ldap” : [ “false” ],
“user.model.attribute” : [ “email” ]
}
}, {
“id” : “a2315378-5159-4cd8-9c60-643778cf3175”,
“name” : “creation date”,
“providerId” : “user-attribute-ldap-mapper”,
“subComponents” : { },
“config” : {
“ldap.attribute” : [ “whenCreated” ],
“is.mandatory.in.ldap” : [ “false” ],
“attribute.force.default” : [ “true” ],
“is.binary.attribute” : [ “false” ],
“read.only” : [ “true” ],
“always.read.value.from.ldap” : [ “true” ],
“user.model.attribute” : [ “createTimestamp” ]
}
}, {
“id” : “c63091eb-2313-4973-a394-0a095d402f36”,
“name” : “first name”,
“providerId” : “user-attribute-ldap-mapper”,
“subComponents” : { },
“config” : {
“ldap.attribute” : [ “givenName” ],
“is.mandatory.in.ldap” : [ “true” ],
“read.only” : [ “true” ],
“always.read.value.from.ldap” : [ “true” ],
“user.model.attribute” : [ “firstName” ]
}
}, {
“id” : “cb601f3e-8db7-4e19-95a2-c79dabf312ca”,
“name” : “modify date”,
“providerId” : “user-attribute-ldap-mapper”,
“subComponents” : { },
“config” : {
“ldap.attribute” : [ “whenChanged” ],
“attribute.force.default” : [ “true” ],
“is.mandatory.in.ldap” : [ “false” ],
“is.binary.attribute” : [ “false” ],
“always.read.value.from.ldap” : [ “true” ],
“read.only” : [ “true” ],
“user.model.attribute” : [ “modifyTimestamp” ]
}
} ]
},

“config” : {
“fullSyncPeriod” : [ “-1” ],
“pagination” : [ “false” ],
“startTls” : [ “false” ],
“usersDn” : [ “dc=xx,dc=xx,dc=xx” ],
“connectionPooling” : [ “false” ],
“cachePolicy” : [ “DEFAULT” ],
“useKerberosForPasswordAuthentication” : [ “false” ],
“importEnabled” : [ “false” ],
“enabled” : [ “true” ],
“bindDn” : [ “CN=xx” ],
“usernameLDAPAttribute” : [ “cn” ],
“bindCredential” : [ “xxx” ],
“changedSyncPeriod” : [ “-1” ],
“vendor” : [ “other” ],
“uuidLDAPAttribute” : [ “uidNumber” ],
“allowKerberosAuthentication” : [ “false” ],
“connectionUrl” : [ “ldaps://xx:636” ],
“syncRegistrations” : [ “false” ],
“authType” : [ “simple” ],
“krbPrincipalAttribute” : [ “krb5PrincipalName” ],
“searchScope” : [ “2” ],
“useTruststoreSpi” : [ “always” ],
“usePasswordModifyExtendedOp” : [ “false” ],
“trustEmail” : [ “false” ],
“userObjectClasses” : [ “inetOrgPerson, organizationalPerson” ],
“rdnLDAPAttribute” : [ “cn” ],
“editMode” : [ “READ_ONLY” ],
“validatePasswordPolicy” : [ “false” ]
}
} ],

prod-feng · October 29, 2023, 12:50am

Looks like I found the fix. The user object class was wrong.

Topic		Replies	Views
User Federation - synchronize all users Configuring the server ldap	4	8901	March 3, 2021
User Federation Troubles Getting advice user-federation , ldap	11	9610	February 4, 2022
Active Directory federation Configuring the server authentication , ldap	3	153	July 25, 2024
User federation LDAP filtering Getting advice admin-console , user-federation , ldap	0	1564	January 10, 2022
Errors in users in Keycloak Database clashing with read-only ldap Configuring the server authentication , ldap , oidc	0	996	June 21, 2021

Keycloak 22 does not work with LDAP server

Related topics