Keycloak - Issues syncing users with LDAP - ldap

I installed Openldap in server and after that added the user into the ldap,below screen show show the added user through Apache Active Directory
Now in keycloak i added user federation as a openLdap and its connecting to ldap without any issue,but when i am trying to sync the user i am getting message
Success! Sync of users finished successfully. 0 imported users, 0
updated users
So no user import from ldap to keycloak ,below is the related ldap connection information in keycloak .

Thanks to #EricLavault and one of company colleague at last Keycloak able to import the user successfully. Below changes i have done to fix the issue.
Change the User Object Classes=*
Created a new entry ou=People then created user under it
In Keycloak used Users DN = ou=user,ou=people,dc=suredev20
After this its start throwing below exception
ERROR [org.keycloak.storage.ldap.LDAPStorageProviderFactory] (default
task-1931) Failed during import user from LDAP:
org.keycloak.models.ModelException: User returned from LDAP has null
username! Check configuration of your LDAP mappings. Mapped username
LDAP attribute: uid, user DN:
cn=subodh123,ou=user,ou=People,dc=suredev20, attributes from LDAP:
{sn=[joshi123], cn=[subodh123], createTimestamp=[20191118180647Z],
modifyTimestamp=[20191118180647Z]}
Which is fixed by using Username LDAP attribute = cn as ldap username Attribute description in openldap case bydefault cn

User entries are not stored correctly in your directory. In fact you shouldn't use cn=root as a container as it's supposed to represent the directory manager and should be used for binding and other operations but not for structuring your directory.
Instead, you should use the default user container (at least for OpenLDAP and Apache DS) that is ou=people,dc=suredev20, ie. you need to move cn=subodh
from cn=subodh,ou=user,cn=root,dc=suredev
to cn=subodh,ou=people,dc=suredev20
Also, in Keycloack you need to set users dn accordingly : ou=people,dc=suredev20
(you can try with ou=user,cn=root,dc=suredev without moving subodh entry but not recommended).

Related

When do the groups associated with an LDAP user get updated in Artifactory?

RE: https://jfrog.com/knowledge-base/when-do-the-groups-associated-with-an-ldap-user-get-updated-in-artifactory/
The Knowledge Base article above says:
"LDAP user authentication requests using Encrypted password or plain text password will update the LDAP group association changes from the LDAP server."
We've added a user to a group, but that user still can't see the artifacts governed by that group even after he has logged in. How can we cause Artifactory to update its group membership cache?
Please ask the user to logout and log back in after being added to the groups. Artifactory will try to reach to the LDAP server for validating the creds and then get the groups associated with the user which is returned from the LDAP server.
There is a chance that LDAP cache as mentioned in here https://www.jfrog.com/confluence/display/JFROG/LDAP#LDAP-Non-UIAuthenticationCache might take effect the groups to be associated if the user session is not hitting the LDAP server.

Why realm is required for some users in beeline connection,even its ensured with ldap authentciation.?

Problem: Why realm is required for some users in beeline connection,even its ensured with ldap authentciation.?
While connecting with beeline,with configured ldap authentication some users connected with without realm and some users connect with realm authentication.This is because of while creating users in active directory ,display name differ with logon name.
During authentication,it can only validate by logon name only,but some users validate also by display name.Actually its only validate by on logon name but here it seems validate by display name.
Please refer the attached images and provide the ideas if you overcome this.
Thanks,
Mathes

wso2 appm issue with ldap authentication when login on store or publisher

I'm trying to use wso2 APPM (vers 1.10.0) with an external ldap as authentication without real success.
I'll try to be as factual as possible to let it be testable:
I've unzip the wso2appm zip file under linux
I've setup the java_home var
I've start the wso2server.sh ==> no problem displayed in the log, at this step I must precise I'm using the default database of wso2.
Then logging to carbon gui, and adding a new userstore management setting up to a read-only external ldap.
after few seconds, the ldap users appears in the user list.
then selecting me in the list and adding the internal/store role.
opening the store url, and trying to login with the login / password of my user
Then having a message to inform me that the user has not the store profile.
If I log into carbon with my ldap user, it's working.
The same use case with the API looks fine to log into the store.
Any fix or ideas are welcome.
BR,
jfv
By the looks of it I suspect your issue is, the privileges are not set correctly for your ldap user store roles. Please make sure that you have assigned the internal/subscriber role to the relevant user in your permission tree. You can find more details about this at JIRA ticket [1]
[1] https://wso2.org/jira/browse/APPM-279
Cheers,
Pubudu
Hi and thank your for your answer,
first: I've checked this morning the solution you've proposed, and there is no change.
In a second time, I've tryied to add all privileges without more success
but if I create a new user manually, this one can login.
The following error in the log are shown when I try to login with an ldap user.
[2016-05-09 07:48:54,272] INFO - ReadOnlyLDAPUserStoreManager LDAP connection created successfully in read-only mode
[2016-05-09 07:48:54,283] INFO - UserStoreDeploymentManager Realm configuration of tenant:-1234 modified with /opt/wso2appm/repository/deployment/server/userstores/orange_com.xml
[2016-05-09 07:50:18,187] WARN - CarbonAuthenticationUtil Failed Administrator login attempt 'admin[-1234]' at [2016-05-09 07:50:18,187+0200]
[2016-05-09 07:50:18,189] WARN - AuthenticationHandler Illegal access attempt at [2016-05-09 07:50:18,0188] from IP address 10.199.210.37 while trying to authenticate access to service RemoteAuthorizationManagerService
[2016-05-09 07:50:18,189] ERROR - AUDIT_LOG Illegal access attempt at [2016-05-09 07:50:18,0188] from IP address 10.199.210.37 while trying to authenticate access to service RemoteAuthorizationManagerService
[2016-05-09 07:50:18,221] WARN - acs:jag User jaav7491 does not have permission to access the store application. Make sure the user has the store role.
the login is "jaav7491"
Thank you for your ideas,
BR,
jfv

Bind settings for LDAP authentication for moodle

I am now trying to configure for the LDAP authentication in /admin/auth_config.php?auth=ldap.
I would like to know what the Bind settings does? Is it necessary to fill in the DN and Password under Bind settings for LDAP to work?
And I have encountered an error code auth_ldap_noconnect when trying to sync the users through LDAP from the cron script. What could be the causes for this error?
The Bind settings are necessary - without them Moodle can't connect to your LDAP server. They determine how Moodle will access the LDAP server.
CN = your Common Name
OU = your Organizational Unit
DC = your Domain Component
Those are all part of the LDAP data Interchange Format (LDIF) and they determine how the LDAP tree is filtered. See http://en.wikipedia.org/wiki/LDAP_Data_Interchange_Format.
So in Moodle you probably need a Distinguished name like:
cn=YourServiceAccountName,ou=YourSchool,ou=Service Accounts,DC=yourdc,DC=co,DC=uk
And you'll probably also have to list the Contexts where your students are found:
ou=yourschool,DC=yourdc,DC=co,DC=uk;
User attribute might = samaccountname (for MS Active Directory)

Liferay and user password during the export into OpenLDAP

I have a question about Liferay.
I have configuate my system with Liferay + Jasig CAS Authentication and OpenLDAP.
I can authenticate my user correctly and I can import user account from LDAP (Ldap import).
I have also configurate the user export to OpenLDAP..so, now I can export an account when this will be create.
Infact I can see this new account in my OpenLDAP server.
When Liferay create a new account it generate a random password for this new account (for example 4hdsdsh) and the user receive an e-mail after the registration.
The problem is: I my OpenLDAP server this password does not seem to be equal to the one just generated by Liferay..
So, the new user will never be able to authenticate into my Liferay (because I use CAS + LDAP).
I also found a funny/strange thing: If I modify this new password in Liferay (using an administrator account) I see this password correctly into my OpenLDAP server and so, the user can finally log into my Liferay..
I am not sure but it seems while user registration it is just exporting the fields entered by user in registration screen and since the password is auto generated after registration, it is not exported to LDAP and might be blank till User has not updated his password by Logging in.
You can debug this class PortalLDAPExporterImpl.Java and also watch user detail in LDAP via jxplorer whats the password & user status as well. If password is blank you could extend class and your logic to pass auto generated or default password for first time case.
This is a bug of Liferay:
See following issue: https://issues.liferay.com/browse/LPS-43045