Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-12842

Updating federated LDAP user fails if DN contains an RDN with an = character

    Details

    • Steps to Reproduce:
      Hide

      Sync a federated LDAP user that has an equals character in an RDN of the DN.

      Attempt to update the user.

      Show
      Sync a federated LDAP user that has an equals character in an RDN of the DN. Attempt to update the user.
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      Given an LDAP user with the following DN:

      cn=Some One+uid=111222,ou=users,dc=mycompany,dc=com
      

      When synced with keycloak the user attribute LDAP_ENTRY_DN will hold the value:

      cn=Some One+uid,ou=users,dc=mycompany,dc=com
      

      An attempt to update the user will result in the exception:

      13:28:19,208 WARN  [org.keycloak.services.resources.admin.UserResource] (default task-43) Could not update user!: org.keycloak.models.ModelException: Could not rename entry from DN [cn=Some One+uid,ou=users,dc=mycompany,dc=com] to new DN [cn=Some One,ou=users,dc=mycompany,dc=com]                               
              at org.keycloak.keycloak-ldap-federation@8.0.1//org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.renameEntry(LDAPOperationManager.java:234)                                   
              at org.keycloak.keycloak-ldap-federation@8.0.1//org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.checkRename(LDAPIdentityStore.java:185)                                         
              at org.keycloak.keycloak-ldap-federation@8.0.1//org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.update(LDAPIdentityStore.java:146)                                              
              at org.keycloak.keycloak-ldap-federation@8.0.1//org.keycloak.storage.ldap.mappers.LDAPTransaction.commitImpl(LDAPTransaction.java:48)                                                      
              at org.keycloak.keycloak-server-spi@8.0.1//org.keycloak.models.AbstractKeycloakTransaction.commit(AbstractKeycloakTransaction.java:48)                                                     
              at org.keycloak.keycloak-services@8.0.1//org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:146)                                        
              at org.keycloak.keycloak-services@8.0.1//org.keycloak.services.resources.admin.UserResource.updateUser(UserResource.java:180)                                                              
      

      The cause is lies in the LDAPDn fromString method.

      The issue can be corrected by limiting the number of regex matches to 2. Change:

      LDAPDn fromString(String dnString)
              String[] rdns = dnString.split("(?<!\\\\),");
              for (String entryStr : rdns) {
                  String[] rdn = entryStr.split("(?<!\\\\)=");
                  if (rdn.length >1) {
                      dn.addLast(rdn[0].trim(), rdn[1].trim());
      

      To:

      LDAPDn fromString(String dnString)
              String[] rdns = dnString.split("(?<!\\\\),");
              for (String entryStr : rdns) {
                  // Apply pattern once (limit - 1). Last entry of array will contain 
                  // all characters beyond the first match. 
                  String[] rdn = entryStr.split("(?<!\\\\)=", 2);
                  if (rdn.length >1) {
                      dn.addLast(rdn[0].trim(), rdn[1].trim());
      

        Gliffy Diagrams

          Attachments

          1. docker-compose.yml
            0.9 kB
          2. user.ldif
            0.3 kB

            Activity

              People

              • Assignee:
                iankko Ján Lieskovský
                Reporter:
                timtobin52 Timothy Tobin
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated: