Attempt to edit attribute denied in RHSSO 7.4.6

1) Create a user federation. Make sure to sync to see if everything is ok 2) Go to Users page and edit the last name of a user mapped from LDAP and hit Save 3) Try to modify the same field (or a different one) and hit save again. You'll see the messages I shared previously Additional Observations: 1. This issue doesn't affect RH-SSO 7.4.0 with RHDS . 2. This issue doesn't affect RH-SSO 7.4.6+ ApacheDS -- multiple subsequent user fields change requests are processed correctly. 3. This issue affects RH-SSO 7.4.6+ with both possible variants / vendors of LDAP UFP ( Active Directory , Red Hat Directory Server ) . Successfully reproduced the problem with RH DS (see below(, and also Active Directory service configured on top of Windows Server 2016 . 4. In RH-SSO 7.4.6+ while subsequent (2+ edits) doesn't work in the RH-SSO administrator console. It's possible (subsequently) to edit user details in the account console of the particular user. Please see more detailed steps to reproduce below as follows: How Reproducible: Always Steps To Reproduce: 1. Ensure the hostname of the Red Hat Directory Server 's (RHDS) host is properly resolving (looks proper IPA server install below assumes this): [root@rhel7 ~]# hostname -f rhel7.9.example.com 2. Add IP address of the RHDS host into the /etc/hosts file of the RHDS host: [root@rhel7 ~]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.122.14 rhel7.9.example.com 3. Install and configure the Red Hat Directory Server on that host (used FreeIPA, version: 4.6.8 in my setup): # yum install ipa-server bind-dyndb-ldap -y # rpm -q ipa-server bind-dyndb-ldap ipa-server-4.6.8-5.el7_9.5.x86_64 bind-dyndb-ldap-11.1-7.el7.x86_64 # ipa-server-install 4. Once RHDS installed, add system firewalld exceptions for the following ports: ... Please add records in this file to your DNS system: /tmp/ipa.system.records.vTBaPz.db ======================================================================= Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos UDP Ports: * 88, 464: kerberos * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificates stored in /root/cacert.p12 These files are required to create replicas. The password for these files is the Directory Manager password 5. Visit the: http://rhel7.9.example.com:80/ipa/ui/ page and sign-in using's RHDS's admin user's credentials. 6. Add some new users to RHDS, which will be used for testing. On the Identity tab, click Users tab, select Active users entry on the left sidebar. In the upper right corner of the table, which gets displayed, click the Add button. Enter necessary user information. See table below for an example entry: Field Name: Entered Value: Comment: User login: jdoe First name *: John Last name *: Doe Class: top,person,organizationalPerson,inetOrgPerson No private group [] /* Keep the default, unchecked state */ GID: editors /* Choose some value here, e.g. editors */ New Password redhat Verify Password redhat Upon entering the values, click either Add or Add and Add Another button. Repeat this step as many times as needed to add more testing users. 7. (Optional) Verify via e.g the ldapsearch tool the RHDS LDAP service is accessible: $ ldapsearch -x -b dc=9,dc=example,dc=com -H ldap://rhel7.9.example.com | head -10 # extended LDIF # # LDAPv3 # base <dc=9,dc=example,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # users, compat, 9.example.com dn: cn=users,cn=compat,dc=9,dc=example,dc=com 8 Start the RH-SSO server using the standalone.xml configuration file: $ cd rh-sso-7.4/ $ ls bin docs domain JBossEULA.txt jboss-modules.jar LICENSE.txt modules standalone themes version.txt welcome-content $ cd bin/ $ ./standalone.sh 9. Configure new LDAP user federation provider in RH-SSO server. In the RH-SSO admin console, click User Federation on the left sidebar. choose ldap , and enter values as follows (where appropriate, adjust the hostname of the RHDS server as necessary): Field Name: Entered Value: Comment Edit Mode: WRITABLE Vendor: Red Hat Directory Server UUID LDAP attribute: uidNumber Change the default nsuniqueid to uidNumber Connection URL: ldap://rhel7.9.example.com:389 After entering the LDAP connection URL below, you might want to click the Test connection button to verify the connection works Users DN: cn=users,cn=accounts,dc=9,dc=example,dc=com Bind DN: uid=admin,cn=users,cn=compat,dc=9,dc=example,dc=com In the Bind DN entry below, ensure to provide uid of the RHDS's user, who has the admin privilege, so you won't encounter error messages like: "Insufficient write privilege..." later, when trying to update some user's attribute. Bind Credential: redhatredhat Provide RHDS admin password here. Possibly click Test Authentication button to verify the authentication succeeded. Keep the other fields to their default values. Click the Save button. 9. Click Synchronize all users button to import users from RHDS to RH-SSO. Confirm some users got properly imported form RHDS to RH-SSO. 10. In the left sidebar, click Users entry under the Manage tab. Click View all users button. In the displayed table, choose some user imported form RHDS. Click Edit button. 11. Edit some user characteristics (e.g. Email , First Name , Last Name etc.). Click Save . Notice how the user is properly edited / changed. 12. On the same page edit some user characteristics again. Upon entering the changed value, click the Save button again. Notice how the request to update user fails this time with the error message like: Error! Could not update user! See server log for more details X And server log contains entry like: ... 11:12:41,846 WARN [org.keycloak.userprofile.validation.StaticValidators] (default task-6) Attempt to edit denied attribute 'modifyTimestamp' of user 'bwilson' 11:12:41,846 WARN [org.keycloak.userprofile.validation.StaticValidators] (default task-6) Attempt to edit denied attribute 'modifyTimestamp' of user 'bwilson' 11:12:41,846 WARN [org.keycloak.services.resources.admin.UserResource] (default task-6) Failed to update attribute modifyTimestamp: updateReadOnlyAttributesRejectedMessage, updateReadOnlyAttributesRejectedMessage, ...