Details

    • Steps to Reproduce:
      Hide
      • Bind a new LDAP in mode UNSYNCED
      • Get a token for this user
      • Update the profile using POST {keycloakBaseUrl}

        /auth/realms/

        {realmName}

        /account

      • Get the profile
        => 401 error

      Or alternatively:

      • Launch the embedded Apache DS LDAP server from ldap example,
      • Configure LDAP federation provider:
        • Import Users: ON
        • Edit Mode: UNSYNCED
        • Vendor: Other
        • Connection URL: ldap://localhost:10389
        • Users DN: ou=People,dc=keycloak,dc=org
        • Bind DN: uid=bwilson,ou=People,dc=keycloak,dc=org
        • Bind Credential: password
        • Keep the rest of the options to their default values, click Save, followed by clicking Synchronize all users
      • Create some client to test the account REST access (curl-client was used in the following example):
        • Clients -> click Create, specify "curl-client" as _Client ID:, click Save
        • Set Standard Flow Enabled -> OFF, Access Type -> Confidential
        • Enable Service Accounts Enabled, keep the rest of the options to their default values, click Save
        • From the Credentials tab get the value of the Secret field, and use it as the secret of the client to obtain the access token (edit the value of SECRET variable in the attached KEYCLOAK-12811-update-only-user-ldapid-poc.sh script to the retrieved value)
        • Run the attached KEYCLOAK-12811-update-only-user-ldapid-poc.sh script
      Show
      Bind a new LDAP in mode UNSYNCED Get a token for this user Update the profile using POST {keycloakBaseUrl} /auth/realms/ {realmName} /account Get the profile => 401 error Or alternatively: Launch the embedded Apache DS LDAP server from ldap example , Configure LDAP federation provider: Import Users : ON Edit Mode: UNSYNCED Vendor : Other Connection URL: ldap://localhost:10389 Users DN : ou=People,dc=keycloak,dc=org Bind DN: uid=bwilson,ou=People,dc=keycloak,dc=org Bind Credential: password Keep the rest of the options to their default values, click Save , followed by clicking Synchronize all users Create some client to test the account REST access ( curl-client was used in the following example): Clients -> click Create , specify "curl-client" as _Client ID :, click Save Set Standard Flow Enabled -> OFF, Access Type -> Confidential Enable Service Accounts Enabled , keep the rest of the options to their default values, click Save From the Credentials tab get the value of the Secret field, and use it as the secret of the client to obtain the access token (edit the value of SECRET variable in the attached KEYCLOAK-12811 -update-only-user-ldapid-poc.sh script to the retrieved value) Run the attached KEYCLOAK-12811 -update-only-user-ldapid-poc.sh script
    • Workaround:
      Workaround Exists
    • Workaround Description:
      Hide

      Update both the LDAP_ID and LDAP_ENTRY_DN attributes in one POST account request.

      Show
      Update both the LDAP_ID and LDAP_ENTRY_DN attributes in one POST account request.
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      When updating the account of a federated user, the call POST

      {keycloakBaseUrl}

      /auth/realms/

      {realmName}

      /account is successful but in the background the account is deleted from the Keycloak local database and the session is not anymore valid (getting 401 on further requests). The logs contain the following entry:

      [0m13:23:49,958 WARN  [org.keycloak.storage.ldap.LDAPStorageProvider] (default task-396) LDAP User invalid. ID doesn't match. ID from LDAP [0011j00000VaiLWAAZ], LDAP ID from local DB: [null]
      

      The LDAP ID is available in the local Keycloak db as an attribute though:

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                iankko Ján Lieskovský
                Reporter:
                mathiasbu Mathias Büschi
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: