Uploaded image for project: 'RH-SSO'
  1. RH-SSO
  2. RHSSO-1887

Attempt to edit attribute denied in RHSSO 7.4.6

    XMLWordPrintable

Details

    • Bug
    • Status: Backlog
    • Major
    • Resolution: Unresolved
    • RH-SSO-7.4.7, RH-SSO-7.4.6
    • None
    • OpenShift - xPaaS
    • None
    • Hide

      1) Create a user federation. Make sure to sync to see if everything is ok
      2) Go to Users page and edit the last name of a user mapped from LDAP and hit Save
      3) Try to modify the same field (or a different one) and hit save again. You'll see the messages I shared previously

      Additional Observations:
      1. This issue doesn't affect RH-SSO 7.4.0 with RHDS.
      2. This issue doesn't affect RH-SSO 7.4.6+ ApacheDS -- multiple subsequent user fields change requests are processed correctly.
      3. This issue affects RH-SSO 7.4.6+ with both possible variants / vendors of LDAP UFP (Active Directory, Red Hat Directory Server).
      Successfully reproduced the problem with RH DS (see below(, and also Active Directory service configured on top of Windows Server 2016.
      4. In RH-SSO 7.4.6+ while subsequent (2+ edits) doesn't work in the RH-SSO administrator console. It's possible (subsequently) to edit user details in the account console of the particular user.

      Please see more detailed steps to reproduce below as follows:

      How Reproducible:
      Always

      Steps To Reproduce:
      1. Ensure the hostname of the Red Hat Directory Server's (RHDS) host is properly resolving (looks proper IPA
      server install below assumes this):

      [root@rhel7 ~]# hostname -f
      rhel7.9.example.com
      

      2. Add IP address of the RHDS host into the /etc/hosts file of the RHDS host:

      [root@rhel7 ~]# cat /etc/hosts
      127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
      ::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
      192.168.122.14 rhel7.9.example.com
      

      3. Install and configure the Red Hat Directory Server on that host
      (used FreeIPA, version: 4.6.8 in my setup):

      # yum install ipa-server bind-dyndb-ldap -y
      # rpm -q ipa-server bind-dyndb-ldap
      ipa-server-4.6.8-5.el7_9.5.x86_64
      bind-dyndb-ldap-11.1-7.el7.x86_64
      # ipa-server-install
      

      4. Once RHDS installed, add system firewalld exceptions for the following ports:

      ...
      Please add records in this file to your DNS system: /tmp/ipa.system.records.vTBaPz.db
      =======================================================================
      Setup complete
      
      Next steps:
      	 1. You must make sure these network ports are open:
      		 TCP Ports:
      		   * 80, 443: HTTP/HTTPS
      		   * 389, 636: LDAP/LDAPS
      		   * 88, 464: kerberos
      		 UDP Ports:
      		   * 88, 464: kerberos
      		   * 123: ntp
      
      	 2. You can now obtain a kerberos ticket using the command: 'kinit admin'
      	    This ticket will allow you to use the IPA tools (e.g., ipa user-add)
      	    and the web user interface.
      
      Be sure to back up the CA certificates stored in /root/cacert.p12
      These files are required to create replicas. The password for these
      files is the Directory Manager password
      

      5. Visit the:

      http://rhel7.9.example.com:80/ipa/ui/
      

      page and sign-in using's RHDS's admin user's credentials.

      6. Add some new users to RHDS, which will be used for testing. On the Identity tab,
      click Users tab, select Active users entry on the left sidebar. In the upper right corner
      of the table, which gets displayed, click the Add button. Enter necessary user
      information. See table below for an example entry:

      Field Name: Entered Value: Comment:
      User login: jdoe
      First name *: John
      Last name *: Doe
      Class: top,person,organizationalPerson,inetOrgPerson
      No private group [] /* Keep the default, unchecked state */
      GID: editors /* Choose some value here, e.g. editors */
      New Password redhat
      Verify Password redhat

      Upon entering the values, click either Add or Add and Add Another button.
      Repeat this step as many times as needed to add more testing users.

      7. (Optional) Verify via e.g the ldapsearch tool the RHDS LDAP service is accessible:

      $ ldapsearch -x -b dc=9,dc=example,dc=com -H ldap://rhel7.9.example.com | head -10
      # extended LDIF
      #
      # LDAPv3
      # base <dc=9,dc=example,dc=com> with scope subtree
      # filter: (objectclass=*)
      # requesting: ALL
      #
       
      # users, compat, 9.example.com
      dn: cn=users,cn=compat,dc=9,dc=example,dc=com
      

      8 Start the RH-SSO server using the standalone.xml configuration file:

      $ cd rh-sso-7.4/
      $ ls
      bin  docs  domain  JBossEULA.txt  jboss-modules.jar  LICENSE.txt  modules  standalone
      themes  version.txt  welcome-content
      $ cd bin/
      $ ./standalone.sh
      

      9. Configure new LDAP user federation provider in RH-SSO server. In the RH-SSO admin
      console, click User Federation on the left sidebar. choose ldap, and enter values as
      follows (where appropriate, adjust the hostname of the RHDS server as necessary):

      Field Name: Entered Value: Comment
      Edit Mode: WRITABLE
      Vendor: Red Hat Directory Server
      UUID LDAP attribute: uidNumber Change the default nsuniqueid to uidNumber
      Connection URL: ldap://rhel7.9.example.com:389 After entering the LDAP connection URL below, you might
      want to click the Test connection button to verify the connection works
      Users DN: cn=users,cn=accounts,dc=9,dc=example,dc=com
      Bind DN: uid=admin,cn=users,cn=compat,dc=9,dc=example,dc=com In the Bind DN entry below, ensure to provide uid of the RHDS's user, who has the admin privilege, so you won't encounter error messages like: "Insufficient write privilege..." later, when trying to update some user's attribute.
      Bind Credential: redhatredhat Provide RHDS admin password here. Possibly click Test Authentication button to verify the authentication succeeded.

      Keep the other fields to their default values. Click the Save button.

      9. Click Synchronize all users button to import users from RHDS to RH-SSO.
      Confirm some users got properly imported form RHDS to RH-SSO.

      10. In the left sidebar, click Users entry under the Manage tab. Click View all users
      button. In the displayed table, choose some user imported form RHDS. Click Edit
      button.

      11. Edit some user characteristics (e.g. Email, First Name, Last Name etc.). Click
      Save. Notice how the user is properly edited / changed.

      12. On the same page edit some user characteristics again. Upon entering the changed
      value, click the Save button again. Notice how the request to update user fails this
      time with the error message like:

        Error! Could not update user! See server log for more details X
      

      And server log contains entry like:

         ...
         11:12:41,846 WARN  [org.keycloak.userprofile.validation.StaticValidators] (default task-6)
         Attempt to edit denied attribute 'modifyTimestamp' of user 'bwilson'
         11:12:41,846 WARN  [org.keycloak.userprofile.validation.StaticValidators] (default task-6)
         Attempt to edit denied attribute 'modifyTimestamp' of user 'bwilson'
         11:12:41,846 WARN  [org.keycloak.services.resources.admin.UserResource] (default
          task-6) Failed to update attribute modifyTimestamp:
          updateReadOnlyAttributesRejectedMessage,
          updateReadOnlyAttributesRejectedMessage, 
         ...
      
      Show
      1) Create a user federation. Make sure to sync to see if everything is ok 2) Go to Users page and edit the last name of a user mapped from LDAP and hit Save 3) Try to modify the same field (or a different one) and hit save again. You'll see the messages I shared previously Additional Observations: 1. This issue doesn't affect RH-SSO 7.4.0 with RHDS . 2. This issue doesn't affect RH-SSO 7.4.6+ ApacheDS -- multiple subsequent user fields change requests are processed correctly. 3. This issue affects RH-SSO 7.4.6+ with both possible variants / vendors of LDAP UFP ( Active Directory , Red Hat Directory Server ) . Successfully reproduced the problem with RH DS (see below(, and also Active Directory service configured on top of Windows Server 2016 . 4. In RH-SSO 7.4.6+ while subsequent (2+ edits) doesn't work in the RH-SSO administrator console. It's possible (subsequently) to edit user details in the account console of the particular user. Please see more detailed steps to reproduce below as follows: How Reproducible: Always Steps To Reproduce: 1. Ensure the hostname of the Red Hat Directory Server 's (RHDS) host is properly resolving (looks proper IPA server install below assumes this): [root@rhel7 ~]# hostname -f rhel7.9.example.com 2. Add IP address of the RHDS host into the /etc/hosts file of the RHDS host: [root@rhel7 ~]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.122.14 rhel7.9.example.com 3. Install and configure the Red Hat Directory Server on that host (used FreeIPA, version: 4.6.8 in my setup): # yum install ipa-server bind-dyndb-ldap -y # rpm -q ipa-server bind-dyndb-ldap ipa-server-4.6.8-5.el7_9.5.x86_64 bind-dyndb-ldap-11.1-7.el7.x86_64 # ipa-server-install 4. Once RHDS installed, add system firewalld exceptions for the following ports: ... Please add records in this file to your DNS system: /tmp/ipa.system.records.vTBaPz.db ======================================================================= Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos UDP Ports: * 88, 464: kerberos * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificates stored in /root/cacert.p12 These files are required to create replicas. The password for these files is the Directory Manager password 5. Visit the: http://rhel7.9.example.com:80/ipa/ui/ page and sign-in using's RHDS's admin user's credentials. 6. Add some new users to RHDS, which will be used for testing. On the Identity tab, click Users tab, select Active users entry on the left sidebar. In the upper right corner of the table, which gets displayed, click the Add button. Enter necessary user information. See table below for an example entry: Field Name: Entered Value: Comment: User login: jdoe First name *: John Last name *: Doe Class: top,person,organizationalPerson,inetOrgPerson No private group [] /* Keep the default, unchecked state */ GID: editors /* Choose some value here, e.g. editors */ New Password redhat Verify Password redhat Upon entering the values, click either Add or Add and Add Another button. Repeat this step as many times as needed to add more testing users. 7. (Optional) Verify via e.g the ldapsearch tool the RHDS LDAP service is accessible: $ ldapsearch -x -b dc=9,dc=example,dc=com -H ldap://rhel7.9.example.com | head -10 # extended LDIF # # LDAPv3 # base <dc=9,dc=example,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # users, compat, 9.example.com dn: cn=users,cn=compat,dc=9,dc=example,dc=com 8 Start the RH-SSO server using the standalone.xml configuration file: $ cd rh-sso-7.4/ $ ls bin docs domain JBossEULA.txt jboss-modules.jar LICENSE.txt modules standalone themes version.txt welcome-content $ cd bin/ $ ./standalone.sh 9. Configure new LDAP user federation provider in RH-SSO server. In the RH-SSO admin console, click User Federation on the left sidebar. choose ldap , and enter values as follows (where appropriate, adjust the hostname of the RHDS server as necessary): Field Name: Entered Value: Comment Edit Mode: WRITABLE Vendor: Red Hat Directory Server UUID LDAP attribute: uidNumber Change the default nsuniqueid to uidNumber Connection URL: ldap://rhel7.9.example.com:389 After entering the LDAP connection URL below, you might want to click the Test connection button to verify the connection works Users DN: cn=users,cn=accounts,dc=9,dc=example,dc=com Bind DN: uid=admin,cn=users,cn=compat,dc=9,dc=example,dc=com In the Bind DN entry below, ensure to provide uid of the RHDS's user, who has the admin privilege, so you won't encounter error messages like: "Insufficient write privilege..." later, when trying to update some user's attribute. Bind Credential: redhatredhat Provide RHDS admin password here. Possibly click Test Authentication button to verify the authentication succeeded. Keep the other fields to their default values. Click the Save button. 9. Click Synchronize all users button to import users from RHDS to RH-SSO. Confirm some users got properly imported form RHDS to RH-SSO. 10. In the left sidebar, click Users entry under the Manage tab. Click View all users button. In the displayed table, choose some user imported form RHDS. Click Edit button. 11. Edit some user characteristics (e.g. Email , First Name , Last Name etc.). Click Save . Notice how the user is properly edited / changed. 12. On the same page edit some user characteristics again. Upon entering the changed value, click the Save button again. Notice how the request to update user fails this time with the error message like: Error! Could not update user! See server log for more details X And server log contains entry like: ... 11:12:41,846 WARN [org.keycloak.userprofile.validation.StaticValidators] (default task-6) Attempt to edit denied attribute 'modifyTimestamp' of user 'bwilson' 11:12:41,846 WARN [org.keycloak.userprofile.validation.StaticValidators] (default task-6) Attempt to edit denied attribute 'modifyTimestamp' of user 'bwilson' 11:12:41,846 WARN [org.keycloak.services.resources.admin.UserResource] (default task-6) Failed to update attribute modifyTimestamp: updateReadOnlyAttributesRejectedMessage, updateReadOnlyAttributesRejectedMessage, ...

    Description

      In RHSSO 7.4.0 if you create an LDAP federation and then enable sync registration, when a user is created and you go to Users screen to change some attributes, it works fine. 
       
      Starting in RHSSO 7.4.5 some errors are thrown when updating an attribute (like Last name, for example). And then when it goes to 7.4.6, we're able to modify an attribute but just once, if they want to update again they need to refresh the page else RHSSO shows a warning:
       
       
      ~~~
      15:48:01,187 WARN  [org.keycloak.userprofile.validation.StaticValidators] (default task-7) Attempt to edit denied attribute 'modifyTimestamp' of user 'user2'
      15:48:01,188 WARN  [org.keycloak.services.resources.admin.UserResource] (default task-7) Failed to update attribute modifyTimestamp: updateReadOnlyAttributesRejectedMessage, updateReadOnlyAttributesRejectedMessage,
      ~~~
       
      This happens using RHDS, not tested wih Active Directory.
       
      Workaround: refreshing the page or setting Always read from LDAP to false in attributes for the modifyTimestamp field.

      Attachments

        Activity

          People

            rhn-jlieskov Ján Lieskovský
            rhn-support-pdelbell Patrick Del Bello
            Votes:
            5 Vote for this issue
            Watchers:
            7 Start watching this issue

            Dates

              Created:
              Updated: