Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-14248

Keycloak should throw an error when attempt to register user to LDAP with empty RDN attribute (was: Unable to register a user on RH-SSO with LDAP error code 68)

    Details

    • Steps to Reproduce:
      Hide

      1. start openldap:

      $ sudo docker run -p 1389:389 --name my-openldap --detach osixia/openldap:1.3.0
      

      2. start RH-SSO

      3. import the ldaprealm using the attached

      4. add a 1st user with empty first name:

      username: user1
      firstname: (empty)
      

      5. add a 2nd user with non-empty first name:

      username: user2
      firstname: user2
      
      Show
      1. start openldap: $ sudo docker run -p 1389:389 --name my-openldap --detach osixia/openldap:1.3.0 2. start RH-SSO 3. import the ldaprealm using the attached 4. add a 1st user with empty first name: username: user1 firstname: (empty) 5. add a 2nd user with non-empty first name: username: user2 firstname: user2
    • Workaround Description:
      Hide

      workaround:

      1. stop RH-SSO

      2. identify wrong data in the USER_ATTRIBUTE table

      MariaDB [RHSSO730]> select * from USER_ATTRIBUTE;
      ERROR 2006 (HY000): MySQL server has gone away
      No connection. Trying to reconnect...
      Connection id:    8
      Current database: RHSSO730
      
      +---------------+--------------------------+--------------------------------------+--------------------------------------+
      | NAME          | VALUE                    | USER_ID                              | ID                                   |
      +---------------+--------------------------+--------------------------------------+--------------------------------------+
      | LDAP_ID       | cn=\20,dc=example,dc=org | 115073d2-d844-4054-8eaa-0f2d9925f943 | 16c1fdcf-41d5-4959-940d-e0cc77632191 |
      | LDAP_ENTRY_DN | cn=\20,dc=example,dc=org | 115073d2-d844-4054-8eaa-0f2d9925f943 | 4a6689d4-407b-43a4-a243-816f39d6ec01 |
      +---------------+--------------------------+--------------------------------------+--------------------------------------+
      2 rows in set (0.082 sec)
      

      3. remove wrong data

      MariaDB [RHSSO730]> delete from USER_ATTRIBUTE where USER_ID="115073d2-d844-4054-8eaa-0f2d9925f943";
      Query OK, 2 rows affected (0.007 sec)
      
      MariaDB [RHSSO730]> commit;
      Query OK, 0 rows affected (0.000 sec)
      

      4. identify a wrong ldap entry

      $ ldapsearch -v -x -H ldap://localhost:1389/ -D cn=admin,dc=example,dc=org -w admin -b dc=example,dc=org dn
      ldap_initialize( ldap://localhost:1389/??base )
      filter: (objectclass=*)
      requesting: dn 
      # extended LDIF
      #
      # LDAPv3
      # base <dc=example,dc=org> with scope subtree
      # filter: (objectclass=*)
      # requesting: dn 
      #
      
      # example.org
      dn: dc=example,dc=org
      
      # admin, example.org
      dn: cn=admin,dc=example,dc=org
      
      # \20, example.org
      dn: cn=\20,dc=example,dc=org
      
      # search result
      search: 2
      result: 0 Success
      

      5. delete the entry

      $ ldapdelete -v -x -H ldap://localhost:1389/ -D cn=admin,dc=example,dc=org -w admin
      ldap_initialize( ldap://localhost:1389/??base )
      cn=\20,dc=example,dc=org
      deleting entry "cn=\20,dc=example,dc=org"
      
      Show
      workaround: 1. stop RH-SSO 2. identify wrong data in the USER_ATTRIBUTE table MariaDB [RHSSO730]> select * from USER_ATTRIBUTE; ERROR 2006 (HY000): MySQL server has gone away No connection. Trying to reconnect... Connection id: 8 Current database: RHSSO730 +---------------+--------------------------+--------------------------------------+--------------------------------------+ | NAME | VALUE | USER_ID | ID | +---------------+--------------------------+--------------------------------------+--------------------------------------+ | LDAP_ID | cn=\20,dc=example,dc=org | 115073d2-d844-4054-8eaa-0f2d9925f943 | 16c1fdcf-41d5-4959-940d-e0cc77632191 | | LDAP_ENTRY_DN | cn=\20,dc=example,dc=org | 115073d2-d844-4054-8eaa-0f2d9925f943 | 4a6689d4-407b-43a4-a243-816f39d6ec01 | +---------------+--------------------------+--------------------------------------+--------------------------------------+ 2 rows in set (0.082 sec) 3. remove wrong data MariaDB [RHSSO730]> delete from USER_ATTRIBUTE where USER_ID= "115073d2-d844-4054-8eaa-0f2d9925f943" ; Query OK, 2 rows affected (0.007 sec) MariaDB [RHSSO730]> commit; Query OK, 0 rows affected (0.000 sec) 4. identify a wrong ldap entry $ ldapsearch -v -x -H ldap: //localhost:1389/ -D cn=admin,dc=example,dc=org -w admin -b dc=example,dc=org dn ldap_initialize( ldap: //localhost:1389/??base ) filter: (objectclass=*) requesting: dn # extended LDIF # # LDAPv3 # base <dc=example,dc=org> with scope subtree # filter: (objectclass=*) # requesting: dn # # example.org dn: dc=example,dc=org # admin, example.org dn: cn=admin,dc=example,dc=org # \20, example.org dn: cn=\20,dc=example,dc=org # search result search: 2 result: 0 Success 5. delete the entry $ ldapdelete -v -x -H ldap: //localhost:1389/ -D cn=admin,dc=example,dc=org -w admin ldap_initialize( ldap: //localhost:1389/??base ) cn=\20,dc=example,dc=org deleting entry "cn=\20,dc=example,dc=org"
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      Updated description

      When there is an attempt to add (or register) new user from Keycloak and "Sync registrations" is ON for the LDAP provider, then Keycloak should check if LDAP provider has non-empty RDN LDAP Attribute and it should fail to register the user if it has. In other words, it shouldn't be possible to successfully create LDAP user with empty RDN like "cn= ,ou=users,dc=keycloak,dc=org"

      Old description

      Unable to register a user on RH-SSO with LDAP error code 68:

      2020-05-20 16:58:44,607 WARN  [org.keycloak.services.resources.admin.UsersResource] (default task-4) Could not create user: org.keycloak.models.ModelException: Error creating subcontext [cn=\ ,dc=example,dc=org]
      	at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.createSubContext(LDAPOperationManager.java:617)
      	at org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.add(LDAPIdentityStore.java:96)
      	at org.keycloak.storage.ldap.LDAPUtils.addUserToLDAP(LDAPUtils.java:71)
      	at org.keycloak.storage.ldap.LDAPStorageProvider.addUser(LDAPStorageProvider.java:269)
      	at org.keycloak.storage.UserStorageManager.addUser(UserStorageManager.java:147)
      	at org.keycloak.models.cache.infinispan.UserCacheSession.addUser(UserCacheSession.java:768)
      	at org.keycloak.services.resources.admin.UsersResource.createUser(UsersResource.java:117)
      	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.lang.reflect.Method.invoke(Method.java:498)
      	at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
      	at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509)
      	at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399)
      	at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363)
      	at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
      	at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365)
      	at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337)
      	at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
      	at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106)
      	at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132)
      	at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106)
      	at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132)
      	at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
      	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443)
      	at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233)
      	at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139)
      	at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
      	at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142)
      	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219)
      	at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
      	at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
      	at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
      	at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
      	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
      	at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
      	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
      	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
      	at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
      	at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
      	at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
      	at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
      	at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
      	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      	at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
      	at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
      	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      	at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
      	at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
      	at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
      	at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
      	at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
      	at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
      	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      	at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
      	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      	at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
      	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      	at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
      	at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
      	at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
      	at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
      	at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
      	at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
      	at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
      	at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
      	at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
      	at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
      	at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
      	at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
      	at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
      	at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
      	at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
      	at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
      	at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
      	at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
      	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
      	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
      	at java.lang.Thread.run(Thread.java:748)
      Caused by: javax.naming.NameAlreadyBoundException: [LDAP: error code 68 - Entry Already Exists]; remaining name 'cn=\ ,dc=example,dc=org'
      	at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3149)
      	at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100)
      	at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2891)
      	at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:812)
      	at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:341)
      	at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:268)
      	at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:202)
      	at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:202)
      	at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager$8.execute(LDAPOperationManager.java:599)
      	at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager$8.execute(LDAPOperationManager.java:596)
      	at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:746)
      	at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:729)
      	at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.createSubContext(LDAPOperationManager.java:596)
      	... 79 more
      

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  hisanobu.okuda Hisanobu Okuda
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  4 Start watching this issue

                  Dates

                  • Created:
                    Updated: