Loading...

Type: Bug
Resolution: Obsolete
Priority: Major
Fix Version/s: None
Affects Version/s: RH-SSO-7.4.7, RH-SSO-7.4.6
Component/s: OpenShift - xPaaS
Labels:
None

Blocked:
False
Ready:
False

Steps to Reproduce:

Hide

1) Create a user federation. Make sure to sync to see if everything is ok
2) Go to Users page and edit the last name of a user mapped from LDAP and hit Save
3) Try to modify the same field (or a different one) and hit save again. You'll see the messages I shared previously

Additional Observations:
1. This issue doesn't affect RH-SSO 7.4.0 with RHDS.
2. This issue doesn't affect RH-SSO 7.4.6+ ApacheDS -- multiple subsequent user fields change requests are processed correctly.
3. This issue affects RH-SSO 7.4.6+ with both possible variants / vendors of LDAP UFP (Active Directory, Red Hat Directory Server).
Successfully reproduced the problem with RH DS (see below(, and also Active Directory service configured on top of Windows Server 2016.
4. In RH-SSO 7.4.6+ while subsequent (2+ edits) doesn't work in the RH-SSO administrator console. It's possible (subsequently) to edit user details in the account console of the particular user.

Please see more detailed steps to reproduce below as follows:

How Reproducible:
Always

Steps To Reproduce:
1. Ensure the hostname of the Red Hat Directory Server's (RHDS) host is properly resolving (looks proper IPA
server install below assumes this):

[root@rhel7 ~]# hostname -f
rhel7.9.example.com

2. Add IP address of the RHDS host into the /etc/hosts file of the RHDS host:

[root@rhel7 ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.122.14 rhel7.9.example.com

3. Install and configure the Red Hat Directory Server on that host
(used FreeIPA, version: 4.6.8 in my setup):

# yum install ipa-server bind-dyndb-ldap -y
# rpm -q ipa-server bind-dyndb-ldap
ipa-server-4.6.8-5.el7_9.5.x86_64
bind-dyndb-ldap-11.1-7.el7.x86_64
# ipa-server-install

4. Once RHDS installed, add system firewalld exceptions for the following ports:

...
Please add records in this file to your DNS system: /tmp/ipa.system.records.vTBaPz.db
=======================================================================
Setup complete

Next steps:
	 1. You must make sure these network ports are open:
		 TCP Ports:
		   * 80, 443: HTTP/HTTPS
		   * 389, 636: LDAP/LDAPS
		   * 88, 464: kerberos
		 UDP Ports:
		   * 88, 464: kerberos
		   * 123: ntp

	 2. You can now obtain a kerberos ticket using the command: 'kinit admin'
	    This ticket will allow you to use the IPA tools (e.g., ipa user-add)
	    and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password

5. Visit the:

http://rhel7.9.example.com:80/ipa/ui/

page and sign-in using's RHDS's admin user's credentials.

6. Add some new users to RHDS, which will be used for testing. On the Identity tab,
click Users tab, select Active users entry on the left sidebar. In the upper right corner
of the table, which gets displayed, click the Add button. Enter necessary user
information. See table below for an example entry:

Field Name:	Entered Value:	Comment:
User login:	jdoe
First name *:	John
Last name *:	Doe
Class:	top,person,organizationalPerson,inetOrgPerson
No private group	[]	/* Keep the default, unchecked state */
GID:	editors	/* Choose some value here, e.g. editors */
New Password	redhat
Verify Password	redhat

Upon entering the values, click either Add or Add and Add Another button.
Repeat this step as many times as needed to add more testing users.

7. (Optional) Verify via e.g the ldapsearch tool the RHDS LDAP service is accessible:

$ ldapsearch -x -b dc=9,dc=example,dc=com -H ldap://rhel7.9.example.com | head -10
# extended LDIF
#
# LDAPv3
# base <dc=9,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
 
# users, compat, 9.example.com
dn: cn=users,cn=compat,dc=9,dc=example,dc=com

8 Start the RH-SSO server using the standalone.xml configuration file:

$ cd rh-sso-7.4/
$ ls
bin  docs  domain  JBossEULA.txt  jboss-modules.jar  LICENSE.txt  modules  standalone
themes  version.txt  welcome-content
$ cd bin/
$ ./standalone.sh

9. Configure new LDAP user federation provider in RH-SSO server. In the RH-SSO admin
console, click User Federation on the left sidebar. choose ldap, and enter values as
follows (where appropriate, adjust the hostname of the RHDS server as necessary):

Field Name:	Entered Value:	Comment
Edit Mode:	WRITABLE
Vendor:	Red Hat Directory Server
UUID LDAP attribute:	uidNumber	Change the default nsuniqueid to uidNumber
Connection URL:	ldap://rhel7.9.example.com:389	After entering the LDAP connection URL below, you might want to click the Test connection button to verify the connection works
Users DN:	cn=users,cn=accounts,dc=9,dc=example,dc=com
Bind DN:	uid=admin,cn=users,cn=compat,dc=9,dc=example,dc=com	In the Bind DN entry below, ensure to provide uid of the RHDS's user, who has the admin privilege, so you won't encounter error messages like: "Insufficient write privilege..." later, when trying to update some user's attribute.
Bind Credential:	redhatredhat	Provide RHDS admin password here. Possibly click Test Authentication button to verify the authentication succeeded.

Keep the other fields to their default values. Click the Save button.

9. Click Synchronize all users button to import users from RHDS to RH-SSO.
Confirm some users got properly imported form RHDS to RH-SSO.

10. In the left sidebar, click Users entry under the Manage tab. Click View all users
button. In the displayed table, choose some user imported form RHDS. Click Edit
button.

11. Edit some user characteristics (e.g. Email, First Name, Last Name etc.). Click
Save. Notice how the user is properly edited / changed.

12. On the same page edit some user characteristics again. Upon entering the changed
value, click the Save button again. Notice how the request to update user fails this
time with the error message like:

  Error! Could not update user! See server log for more details X

And server log contains entry like:

   ...
   11:12:41,846 WARN  [org.keycloak.userprofile.validation.StaticValidators] (default task-6)
   Attempt to edit denied attribute 'modifyTimestamp' of user 'bwilson'
   11:12:41,846 WARN  [org.keycloak.userprofile.validation.StaticValidators] (default task-6)
   Attempt to edit denied attribute 'modifyTimestamp' of user 'bwilson'
   11:12:41,846 WARN  [org.keycloak.services.resources.admin.UserResource] (default
    task-6) Failed to update attribute modifyTimestamp:
    updateReadOnlyAttributesRejectedMessage,
    updateReadOnlyAttributesRejectedMessage, 
   ...

Show

1) Create a user federation. Make sure to sync to see if everything is ok 2) Go to Users page and edit the last name of a user mapped from LDAP and hit Save 3) Try to modify the same field (or a different one) and hit save again. You'll see the messages I shared previously Additional Observations: 1. This issue doesn't affect RH-SSO 7.4.0 with RHDS . 2. This issue doesn't affect RH-SSO 7.4.6+ ApacheDS -- multiple subsequent user fields change requests are processed correctly. 3. This issue affects RH-SSO 7.4.6+ with both possible variants / vendors of LDAP UFP ( Active Directory , Red Hat Directory Server ) . Successfully reproduced the problem with RH DS (see below(, and also Active Directory service configured on top of Windows Server 2016 . 4. In RH-SSO 7.4.6+ while subsequent (2+ edits) doesn't work in the RH-SSO administrator console. It's possible (subsequently) to edit user details in the account console of the particular user. Please see more detailed steps to reproduce below as follows: How Reproducible: Always Steps To Reproduce: 1. Ensure the hostname of the Red Hat Directory Server 's (RHDS) host is properly resolving (looks proper IPA server install below assumes this): [root@rhel7 ~]# hostname -f rhel7.9.example.com 2. Add IP address of the RHDS host into the /etc/hosts file of the RHDS host: [root@rhel7 ~]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.122.14 rhel7.9.example.com 3. Install and configure the Red Hat Directory Server on that host (used FreeIPA, version: 4.6.8 in my setup): # yum install ipa-server bind-dyndb-ldap -y # rpm -q ipa-server bind-dyndb-ldap ipa-server-4.6.8-5.el7_9.5.x86_64 bind-dyndb-ldap-11.1-7.el7.x86_64 # ipa-server-install 4. Once RHDS installed, add system firewalld exceptions for the following ports: ... Please add records in this file to your DNS system: /tmp/ipa.system.records.vTBaPz.db ======================================================================= Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos UDP Ports: * 88, 464: kerberos * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificates stored in /root/cacert.p12 These files are required to create replicas. The password for these files is the Directory Manager password 5. Visit the: http://rhel7.9.example.com:80/ipa/ui/ page and sign-in using's RHDS's admin user's credentials. 6. Add some new users to RHDS, which will be used for testing. On the Identity tab, click Users tab, select Active users entry on the left sidebar. In the upper right corner of the table, which gets displayed, click the Add button. Enter necessary user information. See table below for an example entry: Field Name: Entered Value: Comment: User login: jdoe First name *: John Last name *: Doe Class: top,person,organizationalPerson,inetOrgPerson No private group [] /* Keep the default, unchecked state */ GID: editors /* Choose some value here, e.g. editors */ New Password redhat Verify Password redhat Upon entering the values, click either Add or Add and Add Another button. Repeat this step as many times as needed to add more testing users. 7. (Optional) Verify via e.g the ldapsearch tool the RHDS LDAP service is accessible: $ ldapsearch -x -b dc=9,dc=example,dc=com -H ldap://rhel7.9.example.com | head -10 # extended LDIF # # LDAPv3 # base <dc=9,dc=example,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # users, compat, 9.example.com dn: cn=users,cn=compat,dc=9,dc=example,dc=com 8 Start the RH-SSO server using the standalone.xml configuration file: $ cd rh-sso-7.4/ $ ls bin docs domain JBossEULA.txt jboss-modules.jar LICENSE.txt modules standalone themes version.txt welcome-content $ cd bin/ $ ./standalone.sh 9. Configure new LDAP user federation provider in RH-SSO server. In the RH-SSO admin console, click User Federation on the left sidebar. choose ldap , and enter values as follows (where appropriate, adjust the hostname of the RHDS server as necessary): Field Name: Entered Value: Comment Edit Mode: WRITABLE Vendor: Red Hat Directory Server UUID LDAP attribute: uidNumber Change the default nsuniqueid to uidNumber Connection URL: ldap://rhel7.9.example.com:389 After entering the LDAP connection URL below, you might want to click the Test connection button to verify the connection works Users DN: cn=users,cn=accounts,dc=9,dc=example,dc=com Bind DN: uid=admin,cn=users,cn=compat,dc=9,dc=example,dc=com In the Bind DN entry below, ensure to provide uid of the RHDS's user, who has the admin privilege, so you won't encounter error messages like: "Insufficient write privilege..." later, when trying to update some user's attribute. Bind Credential: redhatredhat Provide RHDS admin password here. Possibly click Test Authentication button to verify the authentication succeeded. Keep the other fields to their default values. Click the Save button. 9. Click Synchronize all users button to import users from RHDS to RH-SSO. Confirm some users got properly imported form RHDS to RH-SSO. 10. In the left sidebar, click Users entry under the Manage tab. Click View all users button. In the displayed table, choose some user imported form RHDS. Click Edit button. 11. Edit some user characteristics (e.g. Email , First Name , Last Name etc.). Click Save . Notice how the user is properly edited / changed. 12. On the same page edit some user characteristics again. Upon entering the changed value, click the Save button again. Notice how the request to update user fails this time with the error message like: Error! Could not update user! See server log for more details X And server log contains entry like: ... 11:12:41,846 WARN [org.keycloak.userprofile.validation.StaticValidators] (default task-6) Attempt to edit denied attribute 'modifyTimestamp' of user 'bwilson' 11:12:41,846 WARN [org.keycloak.userprofile.validation.StaticValidators] (default task-6) Attempt to edit denied attribute 'modifyTimestamp' of user 'bwilson' 11:12:41,846 WARN [org.keycloak.services.resources.admin.UserResource] (default task-6) Failed to update attribute modifyTimestamp: updateReadOnlyAttributesRejectedMessage, updateReadOnlyAttributesRejectedMessage, ...

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

In RHSSO 7.4.0 if you create an LDAP federation and then enable sync registration, when a user is created and you go to Users screen to change some attributes, it works fine.

Starting in RHSSO 7.4.5 some errors are thrown when updating an attribute (like Last name, for example). And then when it goes to 7.4.6, we're able to modify an attribute but just once, if they want to update again they need to refresh the page else RHSSO shows a warning:

~~~
15:48:01,187 WARN [org.keycloak.userprofile.validation.StaticValidators] (default task-7) Attempt to edit denied attribute 'modifyTimestamp' of user 'user2'
15:48:01,188 WARN [org.keycloak.services.resources.admin.UserResource] (default task-7) Failed to update attribute modifyTimestamp: updateReadOnlyAttributesRejectedMessage, updateReadOnlyAttributesRejectedMessage,
~~~

This happens using RHDS, not tested wih Active Directory.

Workaround: refreshing the page or setting Always read from LDAP to false in attributes for the modifyTimestamp field.

mentioned on

Merge request - RHSSO-2091 Operator fails to upgrade to 7.6.0 GA with the error "FAILED Update...

Merge request - Updating RPM upgrade procedure

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates