Keycloak - Error during sync of users

[Nicolás A.R]

Ok, continuing with the manually local installation, choosing secured version, this new error happened

My steps:

https://github.com/dcm4che/dcm4chee-arc-light/wiki/Secure-Archive-UI-and-RESTful-Services-using-Keycloak#ldap-configuration-and-keycloak-user-federation

- i used LDAP Configuration add Keycloak User Federation ldif file

- inserting all data provided into keycloak (new realm:dcm4che - client: dcm4chee-arc-ui - user federation: ldap)

- testing connection and authentification

- save 

- synchronize all users <------------------Fails

[LDAP: error code 12 - critical control unavailable in context]; remaining name 'ou=users,dc=dcm4che,dc=org'

attached the log to see what went wrong, i can provide more information if necessary, thanks.

[vrinda...@j4care.com]

Please see attached screenshots and corresponding Keycloak server.log. If all steps of LDAP Configuration and Keycloak User Federation were followed exactly as mentioned, it works.

[Nicolás A.R]

Thank you for sharing your keycloak configuration screen and server log, but i think my error is related with ldap or the ldif step, because i can't see on the left hand menu any user created with the imported ldif into ldap. it should be there before or after the sync in keycloak? is better option add roles, users manually than ldif ? Where do I have to look to see if I made a mistake?

I appreciate your help

[vrinda...@j4care.com]

You need to first import the default-users.ldif file in your LDAP. This file has the roles, users and passwords.

Once you have imported this ldif file, you proceed to do the steps as mentioned to create a LDAP user federation in Keycloak. The roles and users are only visible in Keycloak after the mentioned steps are done and Synchronize all users to Keycloak and Synchronize LDAP roles to Keycloak is triggered.

You may choose to manually add roles and users instead of importing ldif and creating LDAP user federation in Keycloak.
But the benefit of having a user federation is that your users and their passwords and roles are not lost if you choose to upgrade Keycloak, since this data is in LDAP. Whereas if you add them manually directly in Keycloak you lose the user data during Keycloak upgrades.

[Nicolás A.R]

Yes, as you can see on my first screenshot ive imported the ldif into ldap using apache directory studio showing ou=users, ou=realm-management, i try the ldif because as you well say is better keeping data on ldap side if is necessary at some point upgrade keycloak, i've double check the steps, but still nothing, the same error again.

my ldap.properties 

keycloak-6.0.1\standalone\configuration\keycloak\ldap.properties

few steps before:

jboss (add system properties, event listener, etc)

Maybe i overlooked or missing something but I don't know what else to do to fix this.

Once again thanks for your time and help.

[gunterze]

Guess, something is wrong with your User Federation configuration. You may compare it with that from the preconfigured keycloak docker image. s. screenshot.

You may also verify, if you can fetch the user information by ldapsearch, e.g.:

$ ldapsearch -xW -Dcn=admin,dc=dcm4che,dc=org -b ou=users,dc=dcm4che,dc=org
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <ou=users,dc=dcm4che,dc=org> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# users, dcm4che.org
dn: ou=users,dc=dcm4che,dc=org
ou: users
objectClass: organizationalUnit
objectClass: top

# user, users, dcm4che.org
dn: cn=user,ou=users,dc=dcm4che,dc=org
member: uid=admin,ou=users,dc=dcm4che,dc=org
member: uid=user,ou=users,dc=dcm4che,dc=org
cn: user
objectClass: groupOfNames

# admin, users, dcm4che.org
dn: cn=admin,ou=users,dc=dcm4che,dc=org
member: uid=admin,ou=users,dc=dcm4che,dc=org
cn: admin
objectClass: groupOfNames

# user, users, dcm4che.org
dn: uid=user,ou=users,dc=dcm4che,dc=org
uid: user
sn:: IA==
cn:: IA==
objectClass: inetOrgPerson
objectClass: organizationalPerson
userPassword:: dXNlcg==

# admin, users, dcm4che.org
dn: uid=admin,ou=users,dc=dcm4che,dc=org
uid: admin
sn:: IA==
cn:: IA==
objectClass: inetOrgPerson
objectClass: organizationalPerson
userPassword:: YWRtaW4=

# auditlog, users, dcm4che.org
dn: cn=auditlog,ou=users,dc=dcm4che,dc=org
member: uid=admin,ou=users,dc=dcm4che,dc=org
cn: auditlog
objectClass: groupOfNames

# ADMINISTRATOR, users, dcm4che.org
dn: cn=ADMINISTRATOR,ou=users,dc=dcm4che,dc=org
objectClass: groupOfNames
cn: ADMINISTRATOR
member: uid=admin,ou=users,dc=dcm4che,dc=org

# search result
search: 2
result: 0 Success

# numResponses: 8
# numEntries: 7

[Nicolas A.R]

Hey gunterze.

I compared The User Federation Configuration of keycloak with your screenshot and it ok, doing the ldapsearch command, gives me something different, the ADMINISTRATOR part is missing on my side. if this is relevant, how can i add it?

# extended LDIF

#

# LDAPv3

# base <ou=users,dc=dcm4che,dc=org> with scope subtree

# filter: (objectclass=*)

# requesting: ALL

#

# users, dcm4che.org

dn: ou=users,dc=dcm4che,dc=org

ou: users

objectClass: organizationalUnit

objectClass: top

# admin, users, dcm4che.org

dn: cn=admin,ou=users,dc=dcm4che,dc=org

member: uid=admin,ou=users,dc=dcm4che,dc=org

cn: admin

objectClass: groupOfNames

# auditlog, users, dcm4che.org

dn: cn=auditlog,ou=users,dc=dcm4che,dc=org

member: uid=admin,ou=users,dc=dcm4che,dc=org

cn: auditlog

objectClass: groupOfNames

# user, users, dcm4che.org

dn: cn=user,ou=users,dc=dcm4che,dc=org

member: uid=admin,ou=users,dc=dcm4che,dc=org

member: uid=user,ou=users,dc=dcm4che,dc=org

cn: user

objectClass: groupOfNames

# admin, users, dcm4che.org

dn: uid=admin,ou=users,dc=dcm4che,dc=org

uid: admin

sn:: IA==

cn:: IA==

objectClass: inetOrgPerson

objectClass: organizationalPerson

userPassword:: YWRtaW4=

# user, users, dcm4che.org

dn: uid=user,ou=users,dc=dcm4che,dc=org

uid: user

sn:: IA==

cn:: IA==

objectClass: inetOrgPerson

objectClass: organizationalPerson

userPassword:: dXNlcg==

# search result

search: 2

result: 0 Success

# numResponses: 7

# numEntries: 6

[gunterze]

ADMINISTRATOR role is only needed if you want to protect Wildfly Adminstration Console with Keycloak.

There may be also errors in your ldap-role mapper configuration of your User Federation Configuration. S. attached screenshots for the mapping of Realm roles to ou=users,dc=dcm4che,dc=org and of Realm Management roles to ou=realm-management,dc=dcm4che,dc=org .

I recommend to test with the docker images for Keycloak and/or Slapd, and if that works to analyze the differences with your native installations.

[Nicolas A.R]

Hey again, gunterze!

Today, testing and filling data that you provide me for mapping Realm Roles and Realm Management hoping fixing the issue even as installation step says is after the synchronize user part, unfortunately it keep ocurring the same error. So, in an attempt to test and analyze with docker as your recomendation, im seeing the user federation page (again), understanding what do each option and set to OFF others, finally i found the culprit (i dont know how to call it), is the pagination option, changing to OFF, it allowed me to sync users successfuly.

The question is : this option is necessary to be ON? if yes, i have to set pagination in ldap? where? how? because if i leave it again in ON, the error appeared again.

Oh, and thanks for clarification of ADMINISTRATOR part!!

Greetings.

[gunterze]

I cannot reproduce the issue with OpenLDAP 2.4.44 included in docker image dcm4che/slapd-dcm4che. User Synchronization works with Pagination ON and OFF. 

[Nicolas A.R]

Well, it must be my installation then, might be some other config (checked twice)?, the older version of OpenLDAP? or even windows perhaps? I have not had the chance to compare with docker to see if there something different without it.

As i stated in other post my specs and files are:

Windows 7 x86

OpenLDAP 2.4.40 

Apache Directory Studio 2.0.0-M9

Dcm4chee-arc-5.16.1-mysql-secure-ui

Keycloak-6.0.1

Wildfly-16.0.0