User Federation Troubles

gsmith · January 22, 2020, 4:05am

My environment
CentOS 8, 2 Cores, 4 GB memory, 250 HDD
Keycloak version 8.0.1
Java version 1.8.0_232

All,
This is my first time using Keycloak and everything seemed to work well. I have enable/configured a User Federation LDAP with the vendor Active Directory and configured edit mode as WRITABLE.

I have a bind DN with a domain Admin account. I was able to sync all user/s to Keycloak and no problems occurred.
When I create a user in Keycloak UI and try to resync that user to MSAD, only the first name, last name, email and domain group are synced.
The password and login name are not. I did find this but wasn’t sure if this would be the fix.

https://issues.redhat.com/projects/KEYCLOAK/issues/KEYCLOAK-12340?filter=allopenissues

I also noticed the Enable button when creating a user does not work. Once you navigate to different tab and/or save the user it disables again. I must enable through MSAD.
Pretty much have the same problems as this.

I was thinking that I may have not configured something correct on Keycloak server? or is there something I need to configure on Microsoft AD?

Any advice or direction would be appreciated
Thank you in advance

Robinyo · January 24, 2020, 9:10am

See: Keycloak, Flowable and OpenLDAP

wangj · January 28, 2020, 10:00pm

I’m seeing the same on Keycloak 8.0.1 and Windows Server 2016 AD. Seems not to be a configuration issue, but rather a couple code issues:

KEYCLOAK-12340: the LDAP user password is not changed from the Keycloak Admin Console
KEYCLOAK-12437: AD-linked users can’t be enabled in Keycloak due to a msad-user-account-control-mapper regression

This is blocking our deployment plans for Keycloak, so we’re also waiting for that fix in 9.0.0.

teverson · February 1, 2020, 2:16am

Just curious (easy to overlook, but folks do it a lot with LDAP-enables applications), is your LDAP connection secure (LDAPS)? If not, AD won’t let you change your password over LDAP because it is insecure and can be sniffed, etc.

Robinyo · February 1, 2020, 9:51pm

@teverson

See: Keycloak, Flowable and OpenLDAP

gsmith · March 26, 2020, 1:07am

I have upgrade Keycloak to version 9.0.2, The User “Enable” button stays on but does not enable the user on MSAD. When creating a user on Web UI I no longer can set the password for that user . Error! Could not modify attribute for DN. My bind user for User Federation was granted all permissions for read and write on Object Unit “Users” in AD. Users imported are good but writing back attributes is failing, Again only attributes that were configured in MSAD from Keycloak are First Name, Last Name, Email, ID. Passwords attributes are not configured nor enabling the user in MSAD even thou Keycloak shows the user is enabled. Any help or suggestion would be greatly apperciated

gsmith · March 31, 2020, 2:10am

Ah I now understand windows not changing Password Attribute,
But I’m confused on configuring LDAPS. I have a pub and private key I used for Nginx (reverse proxy), My DC has a CA . So I tried this.
https://bl.ocks.org/magnetikonline/0ccdabfec58eb1929c997d22e7341e45, No Joy
I’m very new at Certs especially between Linux & Windows.

Any help or direction would be apperciated.
Thank in advance.

klepptor · July 7, 2021, 2:04pm

Hi @gsmith

I had the same problem and solved it here using the Docker version of Keycloak.

Maybe this helps, at least for the LDAPS connection. I still can’t change passwords…

ducoudray · September 29, 2021, 2:34pm

Hi @gsmith,

Not sure if you get this working but for my side it was that we were using ADLDS instead of ADDS so the proper account controls that we should use are: msad-lds-user-account-control-mapper.

Hope this helps.

gsmith · September 30, 2021, 12:46am

Thank you,

My issue ended up being I need LDAPS and learn how to create the certs for a secure connection between Keycloak and MSAD. Microsoft limit what is writable and the only way is using LDAPS

This was my resolve using LDAPS from here.

gist.github.com

https://gist.github.com/magnetikonline/0ccdabfec58eb1929c997d22e7341e45

README.md

# Enable LDAP over SSL (LDAPS) for Microsoft Active Directory servers

Microsoft active directory servers will default to offer LDAP connections over *unencrypted* connections (boo!).

The steps below will create a new self signed certificate appropriate for use with and thus enabling LDAPS for an AD server. Of course the "self-signed" portion of this guide can be swapped out with a real vendor purchased certificate if required.

Steps have been tested successfully with Windows Server 2012R2, but *should* work with Windows Server 2008 without modification. Requires a working OpenSSL install (ideally Linux/OSX) and (obviously) a Windows Active Directory server.

- [Create root certificate](#create-root-certificate)
- [Import root certificate into trusted store of domain controller](#import-root-certificate-into-trusted-store-of-domain-controller)

This file has been truncated. show original

johnkalangha · January 20, 2022, 2:31am

if ldap over ssl is already configured in AD server, in keycloak do i need to setup also?

gsmith · February 4, 2022, 5:19am

Sorry for the delay

Perhaps this post may help

Topic		Replies	Views
Keycloak problems creating new users after Update 8.0.1 Getting advice user-federation , ldap	5	2308	January 22, 2020
User Federation - synchronize all users Configuring the server ldap	4	6879	March 3, 2021
User federation LDAP filtering Getting advice admin-console , user-federation , ldap	0	1195	January 10, 2022
Sync user federation ldap passwords with keycloak local user store Getting advice	3	1642	February 12, 2024
Keycloak, Flowable and OpenLDAP Getting advice user-federation , ldap	1	2988	January 5, 2020

User Federation Troubles

Related Topics