Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-12912

javax.naming.NameAlreadyBoundException exception in LDAPIdentityStore when syncing existing groups

    Details

    • Steps to Reproduce:
      Hide
      • In the SAML identity provider config, I use 'SAML Attribute to Role' mapper to map an assertion attribute to user role. I setup 2 similar mapper to map 2 roles.
      • In the User Federation config, I use 'role-ldap-mapper' to map the user role to LDAP groups, and sync back to the AD for the user membership.
      • Login first time and successfully meet all expectation.
      • Login the second time and on with the same user and encounter exception as described
      Show
      In the SAML identity provider config, I use 'SAML Attribute to Role' mapper to map an assertion attribute to user role. I setup 2 similar mapper to map 2 roles. In the User Federation config, I use 'role-ldap-mapper' to map the user role to LDAP groups, and sync back to the AD for the user membership. Login first time and successfully meet all expectation. Login the second time and on with the same user and encounter exception as described
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      I have a setup to sync Identity Broker to LDAP federation:

      • In the SAML identity provider config, I use 'SAML Attribute to Role' mapper to map an assertion attribute to user role. I setup 2 similar mapper to map 2 roles.
      • In the User Federation config, I use 'role-ldap-mapper' to map the user role to LDAP groups, and sync back to the AD for the user membership.

      The problem I experience:

      • In the first login, the user successfully logined through the broker IDP, and the account was created successfully in the federated LDAP with the correct memberships.
      • However, in the second login of the same user, I ran into an exception:
      2020-02-05 16:34:05,244 DEBUG [io.undertow.request.security] (default task-47) Authentication outcome was NOT_ATTEMPTED with method io.undertow.security.impl.CachedAuthenticatedSessionMechanism@114f72e2 for /auth/resources/2361h/login/axi
      Caused by: org.keycloak.models.ModelException: Could not modify attribute for DN [CN=Civil,OU=x,DC=x,DC=x]
              at org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.addMemberToGroup(LDAPIdentityStore.java:117)
              at org.keycloak.storage.ldap.LDAPUtils.addMember(LDAPUtils.java:174)
              at org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapper.addRoleMappingInLDAP(RoleLDAPStorageMapper.java:264)
              at org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapper$LDAPRoleMappingsUserDelegate.grantRole(RoleLDAPStorageMapper.java:383)
              at org.keycloak.models.cache.infinispan.UserAdapter.grantRole(UserAdapter.java:325)
              at org.keycloak.broker.saml.mappers.AttributeToRoleMapper.updateBrokeredUser(AttributeToRoleMapper.java:147)
              at org.keycloak.services.resources.IdentityBrokerService.updateFederatedIdentity(IdentityBrokerService.java:993)
              at org.keycloak.services.resources.IdentityBrokerService.authenticated(IdentityBrokerService.java:595)
              at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLEndpoint.java:485)
              ... 75 more
      Caused by: javax.naming.NameAlreadyBoundException: [LDAP: error code 68 - 00000562: UpdErr: DSID-031A11D7, problem 6005 (ENTRY_EXISTS), data 0
      ^@]; remaining name 'CN=Civil,OU=x,DC=x,DC=x'
              at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3149)
              at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100)
              at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2891)
              at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1475)
              at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:277)
              at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:192)
              at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:172)
              at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:172)
              at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager$7.execute(LDAPOperationManager.java:576)
              at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager$7.execute(LDAPOperationManager.java:572)
              at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:698)
              at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:678)
              at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.modifyAttributesNaming(LDAPOperationManager.java:572)
              at org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.addMemberToGroup(LDAPIdentityStore.java:113)
              ... 83 more
      

      The screen results in Internal Server Error.

      In this case, I think it is safe to handle the existing entries exception.

      Can you please confirm this bug? I can submit a PR if confirmed.

      Thank you for taking a look!

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                iankko Ján Lieskovský
                Reporter:
                qnn Quynh Nguyen
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated: