Uploaded image for project: 'Red Hat build of Keycloak'
  1. Red Hat build of Keycloak
  2. RHBK-1523

[GHI#29206] LDAP user creation reports error but user is created

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      Before reporting an issue

      [X] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

      Area

      ldap

      Describe the bug

      When creating a user in a realm that is federating with an LDAP server, the UI reports an error and error logs can be seen, but the user is actually created and shows up keycloak search.
      It is a little strange as the UI gives an idea that the user was not created but that is not true. If I attempt to create the user again, it fails obviously as the user already exists in the LDAP backend.

      I believe this is caused due to a clustered OpenLDAP deployment.

      I suspect that the failures occur when the query hits replicas that don't yet have the newly created user. Successes should be when the creation and query both hit the same replica.

      Logs:

      ```
      2024-05-02 08:00:32,660 ERROR [org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager] (executor-thread-3) Could not query server using DN [uid=ldapdavid,ou=users,dc=asml,dc=com] and filter [(objectclass=*)]: javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such Object]; remaining name 'uid=ldapdavid,ou=users,dc=asml,dc=com'

          at java.naming/com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3285)
          at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3206)
          at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2997)
          at java.naming/com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1875)
          at java.naming/com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1798)
          at java.naming/com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:392)
          at java.naming/com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358)
          at java.naming/javax.naming.directory.InitialDirContext.search(InitialDirContext.java:305)
          at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager$3.execute(LDAPOperationManager.java:258)
          at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager$3.execute(LDAPOperationManager.java:255)
          at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:721)
          at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:701)
          at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:696)
          at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.search(LDAPOperationManager.java:255)
          at org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.getEntryIdentifier(LDAPIdentityStore.java:611)
          at org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.add(LDAPIdentityStore.java:104)
          at org.keycloak.storage.ldap.LDAPUtils.lambda$addUserToLDAP$1(LDAPUtils.java:115)
          at org.keycloak.storage.ldap.idm.model.LDAPObject.executeConsumerOnMandatoryAttributesComplete(LDAPObject.java:269)
          at org.keycloak.storage.ldap.idm.model.LDAPObject.executeOnMandatoryAttributesComplete(LDAPObject.java:82)
          at org.keycloak.storage.ldap.LDAPUtils.addUserToLDAP(LDAPUtils.java:113)
          at org.keycloak.storage.ldap.LDAPStorageProvider.addUser(LDAPStorageProvider.java:320)
          at org.keycloak.storage.UserStorageManager.lambda$addUser$16(UserStorageManager.java:329)
          at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197)
          at java.base/java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:179)
          at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197)
          at java.base/java.util.stream.SortedOps$RefSortingSink.end(SortedOps.java:400)
          at java.base/java.util.stream.Sink$ChainedReference.end(Sink.java:258)
          at java.base/java.util.stream.Sink$ChainedReference.end(Sink.java:258)
          at java.base/java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:528)
          at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:513)
          at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499)
          at java.base/java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:150)
          at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
          at java.base/java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:647)
          at org.keycloak.storage.UserStorageManager.addUser(UserStorageManager.java:331)
          at org.keycloak.models.cache.infinispan.UserCacheSession.addUser(UserCacheSession.java:810)
          at org.keycloak.userprofile.DeclarativeUserProfileProvider$1.apply(DeclarativeUserProfileProvider.java:162)
          at org.keycloak.userprofile.DeclarativeUserProfileProvider$1.apply(DeclarativeUserProfileProvider.java:149)
          at org.keycloak.userprofile.DefaultUserProfile.create(DefaultUserProfile.java:96)
          at org.keycloak.services.resources.admin.UsersResource.createUser(UsersResource.java:146)
          at org.keycloak.services.resources.admin.UsersResource$quarkusrestinvoker$createUser_49ad02a153eab6ba1571548b97a4fecbdc7a7465.invoke(Unknown Source)
          at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
          at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:141)
          at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
          at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:582)
          at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2513)
          at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1538)
          at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
          at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
          at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
          at java.base/java.lang.Thread.run(Thread.java:840)
      

      2024-05-02 08:00:32,664 WARN [org.keycloak.services.resources.admin.UsersResource] (executor-thread-3) Could not create user: org.keycloak.models.ModelException: Could not retrieve identifier for entry [uid=ldapdavid,ou=users,dc=asml,dc=com].

          at org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.getEntryIdentifier(LDAPIdentityStore.java:622)
          at org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.add(LDAPIdentityStore.java:104)
          at org.keycloak.storage.ldap.LDAPUtils.lambda$addUserToLDAP$1(LDAPUtils.java:115)
          at org.keycloak.storage.ldap.idm.model.LDAPObject.executeConsumerOnMandatoryAttributesComplete(LDAPObject.java:269)
          at org.keycloak.storage.ldap.idm.model.LDAPObject.executeOnMandatoryAttributesComplete(LDAPObject.java:82)
          at org.keycloak.storage.ldap.LDAPUtils.addUserToLDAP(LDAPUtils.java:113)
          at org.keycloak.storage.ldap.LDAPStorageProvider.addUser(LDAPStorageProvider.java:320)
          at org.keycloak.storage.UserStorageManager.lambda$addUser$16(UserStorageManager.java:329)
          at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197)
          at java.base/java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:179)
          at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197)
          at java.base/java.util.stream.SortedOps$RefSortingSink.end(SortedOps.java:400)
          at java.base/java.util.stream.Sink$ChainedReference.end(Sink.java:258)
          at java.base/java.util.stream.Sink$ChainedReference.end(Sink.java:258)
          at java.base/java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:528)
          at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:513)
          at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499)
          at java.base/java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:150)
          at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
          at java.base/java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:647)
          at org.keycloak.storage.UserStorageManager.addUser(UserStorageManager.java:331)
          at org.keycloak.models.cache.infinispan.UserCacheSession.addUser(UserCacheSession.java:810)
          at org.keycloak.userprofile.DeclarativeUserProfileProvider$1.apply(DeclarativeUserProfileProvider.java:162)
          at org.keycloak.userprofile.DeclarativeUserProfileProvider$1.apply(DeclarativeUserProfileProvider.java:149)
          at org.keycloak.userprofile.DefaultUserProfile.create(DefaultUserProfile.java:96)
          at org.keycloak.services.resources.admin.UsersResource.createUser(UsersResource.java:146)
          at org.keycloak.services.resources.admin.UsersResource$quarkusrestinvoker$createUser_49ad02a153eab6ba1571548b97a4fecbdc7a7465.invoke(Unknown Source)
          at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
          at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:141)
          at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
          at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:582)
          at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2513)
          at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1538)
          at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
          at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
          at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
          at java.base/java.lang.Thread.run(Thread.java:840)
      

      ```

      Version

      24.0.3

      Regression

      [ ] The issue is a regression

      Expected behavior

      UI and logs show no errors when creating a user in a realm with LDAP federation.
      User is created.

      Actual behavior

      UI and logs show errors when creating a user in a realm with LDAP federation.
      User is created.

      How to Reproduce?

      Kubernetes:

      Deploy keycloak in cluster mode with operator. Set 3 instances e.g.
      Deploy OpenLDAP in cluster mode with openldap-stack-ha chart. Set 3 instances e.g.

      Create realm and federate with OpenLDAP.
      Try to create some users. Some will fail, some will succeed. I suspect that the failures are when the query hits replicas that don't yet have the newly created user. Successes should be when the creation and query both hit the same replica.

      Anything else?

      No response

            Unassigned Unassigned
            pvlha Pavel Vlha
            Keycloak Core IAM
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: