[Keycloak v9.0.0.] Could not modify attribute for DN

[Stehlin Lalaina]

Hello,
 
We have a User Federation connected to an MSAD (2012 R2), ldap provider is on Edit mode Writable, import user is set to ON as well as Sync registrations. Username LDAP attribute is set ti sAMAccountName. The account used to bind to MSAD have an delegate access right to create/delete user account. Connection is sent through ldaps.
 
We are able to import all users from AD, and user/admin can change the email, last name and first name. Unfortunatly neither a user or admin can change the password.
 
Error message :
ERROR [org.keycloak.services] (default task-1) KC-SERVICES0065: Failed to update Password: org.keycloak.models.ModelException: Could not modify attribute for DN [CN=xxxx,OU=Sandbox,OU=Contracts,DC=xxx,DC=net]
 
Maybe it's related as we cannot create new user from keycloak as well. Looks like CN is not being sent, indeed in the server.log we have
 
Error :
 
WARN [org.keycloak.services.resources.admin.UsersResource] (default task-34) Could not create user: org.keycloak.models.ModelException: RDN Attribute [cn] is not filled. Filled attributes: {whenChanged=[], whenCreated=[], mail=[], sAMAccountName=[u_klc], displayName=[], givenName=[ ], sn=[ ]}
 
Even though we have filled the mail, sn, in the form. It still shows [] in the log.
 
Thanks for any help.
 
Regards.
LSTE

[Jan Lieskovsky]

Hello Stehlin,

On Thu, Feb 20, 2020 at 1:53 PM Stehlin Lalaina <Lalaina...@avasad.ch> wrote:

Hello,
 
We have a User Federation connected to an MSAD (2012 R2), ldap provider is on Edit mode Writable, import user is set to ON as well as Sync registrations. Username LDAP attribute is set ti sAMAccountName. The account used to bind to MSAD have an delegate access right to create/delete user account. Connection is sent through ldaps.
 
We are able to import all users from AD, and user/admin can change the email, last name and first name. Unfortunatly neither a user or admin can change the password.

What is the version of Keycloak you are trying this with? There's a known issue (confirmed for versions v8.0.0, v8.0.1, and v8.0.2):

* https://issues.redhat.com/browse/KEYCLOAK-12948

* https://issues.redhat.com/browse/KEYCLOAK-12340

causing LDAP user password resets not to be synced back to LDAP server, even with WRITABLE mode being used. But

that one should be fixed in Keycloak v9.0.0 already AFAICT. Could you retry?

 

 
Error message :
ERROR [org.keycloak.services] (default task-1) KC-SERVICES0065: Failed to update Password: org.keycloak.models.ModelException: Could not modify attribute for DN [CN=xxxx,OU=Sandbox,OU=Contracts,DC=xxx,DC=net]
 
Maybe it's related as we cannot create new user from keycloak as well. Looks like CN is not being sent, indeed in the server.log we have
 
Error :
 
WARN  [org.keycloak.services.resources.admin.UsersResource] (default task-34) Could not create user: org.keycloak.models.ModelException: RDN Attribute [cn] is not filled. Filled attributes: {whenChanged=[], whenCreated=[], mail=[], sAMAccountName=[u_klc], displayName=[], givenName=[ ], sn=[ ]}
 
Even though we have filled the mail, sn, in the form. It still shows [] in the log.
 
Thanks for any help.
 
Regards.
LSTE

--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/2314b358a4134166a5158058886482ef%40avasad.ch.

Regards, Jan

--

Jan iankko Lieskovsky / Keycloak / RH-SSO Team

P.S.: If you can reproduce the above with the latest Keycloak v9.0.0 too, it's probably different issue. Please file a new JIRA in that case (describing the steps you do, any further AD server settings used etc.)

 

[Stehlin Lalaina]

We’ve updated keycloak 8.0.2 to 9.0.0 yesterday. So now we’re using the latest realease and still cannot change password, nor create new user from keycloak.

Did I miss a step during the upgrade ? ? followed https://www.keycloak.org/docs/latest/upgrading/index.html#_upgrading to upgrade the server.

FYI we do have a standalone server

-----------------------------------------------------------------------------------------------
De : keyclo...@googlegroups.com [mailto:keyclo...@googlegroups.com] De la part de Jan Lieskovsky
Envoyé : jeudi 20 février 2020 14:28
À : Stehlin Lalaina
Cc : keyclo...@googlegroups.com
Objet : Re: [keycloak-user] [Keycloak v9.0.0.] Could not modify attribute for DN

To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/CAPr-%2BaGQuF_rrH9omvdAMxrOy%3DJbuP6YJBudrksbMvorEMQC1A%40mail.gmail.com.

[Jan Lieskovsky]

On Thu, Feb 20, 2020 at 2:36 PM Stehlin Lalaina <Lalaina...@avasad.ch> wrote:

We’ve updated keycloak 8.0.2 to 9.0.0 yesterday. So now we’re using the latest realease and still cannot change password, nor create new user from keycloak.

Ok, thanks for confirming!

 

Did I miss a step during the upgrade ?  ? followed https://www.keycloak.org/docs/latest/upgrading/index.html#_upgrading to upgrade the server.

FYI we do have a standalone server

There shouldn't be some other step (besides the migration itself) necessary. Quickly tried the recipe for standalone one,

for Apache DS starting from v8.0.2, and it worked fine (wasn't possible to reset the password in 8.0.2 originally, was

synced back to LDAP after migrating to 9.0.0).

Is there some further "Caused by:" message in / below the:

Error message :
ERROR [org.keycloak.services] (default task-1) KC-SERVICES0065: Failed to update Password: org.keycloak.models.ModelException: Could not modify attribute for DN [CN=xxxx,OU=Sandbox,OU=Contracts,DC=xxx,DC=net]

exception too?

Does it print some further error message, when you enable Debug flag or Trace logging of LDAP:?

* https://www.keycloak.org/docs/latest/server_admin/#troubleshooting

* https://github.com/keycloak/keycloak/blob/master/testsuite/utils/src/main/resources/log4j.properties#L68

Or some strange / suspicious message in the Event Viewer at the side of Microsoft Active Directory 2012 from the time, an attempt

to reset the password on Keycloak part was performed?

--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/5f51b8649a09428d898e750f44414ea5%40avasad.ch.

[Stehlin Lalaina]

Hello Jan,

in standalone.xml , I’ve added
<logger category="org.keycloak.federation.ldap">
<level name="DEBUG"/>
</logger>

To get more information.

And I get

ERROR [org.keycloak.services] (default task-1) KC-SERVICES0065: Failed to update Password: org.keycloak.models.ModelException: Could not modify attribute for DN [CN=xxx,OU=Sandbox,OU=xxx,DC=ext,DC=xxx]

....

Caused by: javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 0000001F: SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data 0
]; remaining name 'CN=xxx,OU=Sandbox,OU=xxx,DC=ext,DC=xxx'

It seems ldaps was the issue here.

We'll address that first and see how it goes.

Thanks again for you help

Lalaina




De : Jan Lieskovsky [mailto:jlie...@redhat.com]
Envoyé : jeudi 20 février 2020 16:41