Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-14998

Unable to Assign Role for LDAP Federated Users (Readonly Mode)

    Details

    • Steps to Reproduce:
      Hide
      1. Setup User Federation
      2. Add Provider: select ldap
      3. Fill-up following the configuration 
        Setting Value
        Import users ON
        Edit Mode READ_ONLY
        Sync Registrations OFF
        Vendor Active Directory
        Username LDAP attribute sAMAccountName
        RDN LDAP attribute cn
        UUID LDAP attribute  objectGUID
        User Object Classes person, organizationalPerson, user
        Bind Type simple
      1. Create client, example: contoh
      2. Create client role, example : contoh_admin
      3. Open users menu and edit one of LDAP user
      4. Go to Role Mappings tab
      5. Select contoh client from Client roles dropdown
      6. Select one of available roles
      7. Click Add selected button
      Show
      Setup User Federation Add Provider: select ldap Fill-up following the configuration  Setting Value Import users ON Edit Mode READ_ONLY Sync Registrations OFF Vendor Active Directory Username LDAP attribute sAMAccountName RDN LDAP attribute cn UUID LDAP attribute  objectGUID User Object Classes person, organizationalPerson, user Bind Type simple Create client, example: contoh Create client role, example : contoh_admin Open users menu and edit one of LDAP user Go to Role Mappings tab Select contoh client from Client roles dropdown Select one of available roles Click Add selected button
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      After upgrade Keycloak from version 10.0.2 to 11.0.0, we are unable to assign role to LDAP users, and show following error message

      Here is the configuration

       

      Setting Value
      Import users ON
      Edit Mode READ_ONLY
      Sync Registrations OFF
      Vendor Active Directory
      Username LDAP attribute sAMAccountName
      RDN LDAP attribute cn
      UUID LDAP attribute  objectGUID
      User Object Classes person, organizationalPerson, user
      Bind Type simple

       

      Here is error log from server.log file

       

      // log
      2020-08-04 15:45:40,532 WARN  [org.keycloak.services.resources.admin.ClientRoleMappingsResource] (default task-2606) Not possible to write 'role mapping for role useradmin' when updating user 'iei12364': org.keycloak.storage.ReadOnlyException: Not possible to write 'role mapping for role useradmin' when updating user 'iei12364'
              at org.keycloak.models.utils.ReadOnlyUserModelDelegate.readOnlyException(ReadOnlyUserModelDelegate.java:146)
              at org.keycloak.models.utils.ReadOnlyUserModelDelegate.grantRole(ReadOnlyUserModelDelegate.java:141)
              at org.keycloak.models.utils.UserModelDelegate.grantRole(UserModelDelegate.java:179)
              at org.keycloak.models.utils.UserModelDelegate.grantRole(UserModelDelegate.java:179)
              at org.keycloak.models.utils.UserModelDelegate.grantRole(UserModelDelegate.java:179)
              at org.keycloak.models.utils.UserModelDelegate.grantRole(UserModelDelegate.java:179)
              at org.keycloak.models.cache.infinispan.UserAdapter.grantRole(UserAdapter.java:317)
              at org.keycloak.services.resources.admin.ClientRoleMappingsResource.addClientRoleMapping(ClientRoleMappingsResource.java:186)
              at sun.reflect.GeneratedMethodAccessor1026.invoke(Unknown Source)
              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
              at java.lang.reflect.Method.invoke(Method.java:498)
              at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:138)
              at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:543)
              at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:432)
              at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:393)
              at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
              at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:395)
              at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:364)
              at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:150)
              at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:110)
              at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:141)
              at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:110)
              at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:141)
              at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:110)
              at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:141)
              at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:110)
              at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:141)
              at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:110)
              at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:141)
              at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:104)
              at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:440)
              at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:229)
              at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:135)
              at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
              at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:138)
              at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:215)
              at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:245)
              at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:61)
              at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
              at javax.servlet.http.HttpServlet.service(HttpServlet.java:590)
              at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
              at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
              at org.keycloak.provider.wildfly.WildFlyRequestFilter.lambda$doFilter$0(WildFlyRequestFilter.java:41)
              at org.keycloak.services.filters.AbstractRequestFilter.filter(AbstractRequestFilter.java:43)
              at org.keycloak.provider.wildfly.WildFlyRequestFilter.doFilter(WildFlyRequestFilter.java:39)
              at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
              at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
              at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
              at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
              at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
              at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
              at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
              at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
              at io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68)
              at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
              at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
              at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
              at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
              at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
              at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
              at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
              at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
              at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
              at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
              at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
              at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
              at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
              at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
              at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:269)
              at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:78)
              at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:133)
              at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:130)
              at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
              at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
              at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
              at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
              at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
              at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
              at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
              at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:249)
              at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:78)
              at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:99)
              at io.undertow.server.Connectors.executeRootHandler(Connectors.java:370)
              at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
              at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
              at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
              at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
              at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
              at java.lang.Thread.run(Thread.java:748)
      

       

       

       

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                mposolda Marek Posolda
                Reporter:
                amasykur Ahmad Masykur
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: