I'm evaluating keycloak for identity management using an existing (open)ldap server.
I've managed to get the telephoneNumber ldap attribute into keycloak.
The problem occurs if I try to remove a telephone number via keycloak: keycloak tries to set the ldap attribute to an empty string, which is not allowed. Is there a way to configure the user-attribute-ldap-mapper to delete the attribute if its empty?
Best wishes
Daniel
[edit] I've opend a bug report at keyloak for this issue
Related
I developed a service provider interface (SPI) for User Federation in keycloak.
When I try to login with an existing case sensitive user, keycloak converts it to lower case, so at the end, the sent username was not found in my user API.
I am using keycloak 20.0.1 version and it is deploying in a docker container.
I found this post in stackoverflow that share an anwerd relatated for this, buth I do not get solution. I replaced conf/cache-ispn.xml as it metion, buth when keycloak starts it gets the error Cache 'users' has been requested, but no matching cache configuration exists.
I realy apreciate if some one knows if there is an alternative.
Regardles.
I tried to get original input username with case sensitive in keycloak login.
I have added the Quarkus quarkus-elytron-security-ldap dependency to my project to enable basic auth on my REST services. I have configured it in my properties file as below. I know that it is connecting successfully to the LDAP repository, but it never finds the UID when doing a search:
quarkus.security.ldap.dir-context.principal=uid=serviceLdapAccount,ou=Systems,ou=Users,DC=COMPANY
quarkus.security.ldap.dir-context.url=ldap://some.server.com
quarkus.security.ldap.dir-context.password=*****
quarkus.security.ldap.identity-mapping.rdn-identifier=uid
quarkus.security.ldap.identity-mapping.search-base-dn=DC=COMPANY
I have confirmed that the user definitely exists in the repository and is included in the search base. But I always get this response:
[io.qua.ver.htt.run.sec.BasicAuthenticationMechanism] Found basic auth header requestAccountName:***** (decoded using charset UTF-8)
[org.wil.security] Obtaining lock for identity [requestAccountName]...
[org.wil.security] Obtained lock for identity [requestAccountName].
[org.wil.security] Trying to create identity for principal [requestAccountName].
[org.wil.security] Executing search [(uid={0})] in context [DC=COMPANY] with arguments [requestAccountName]. Returning attributes are []. Binary attributes are [].
[org.wil.security] Identity for principal [requestAccountName] not found.
Why can't it find the identity?
The seach-base-dn needed to be more specific:
quarkus.security.ldap.identity-mapping.search-base-dn=ou=Systems,ou=Users,DC=COMPANY
What I had before should work though, imo.
I am working om using Auth0 has authentication for services. I have the following problem. I have created a user but when I try to make a request with that user I get the following error.
Authorization server not configured with default connection
I have researched this and found I need to Configure the tenant
The Resource Owner Password Flow relies on a connection that is capable of authenticating users by username and password, so you must set the default connection for the tenant.
Go to Auth0 Dashboard > Tenant Settings, and scroll down to locate the Default Directory setting.
Enter the name of the connection you would like to use. Make sure it is capable of authenticating users by username and password.
But I have on idea what they mean by Default Directory. Is that the name of the Auth0 application I generated, since that is the service, that is supposed to authenticate users by username and password.
I have generated a SpringBoot app from the auth0 console. is that what they mean by connection.
Follow these steps.
Navigate to your dashboard - manage.auth0.com/dashboard
On the left menu, click on Setting
Scroll down to "API Authorization Settings"
Enter Username-Password-Authentication in the "Default Directory" input
Hit save - It typically takes about 30secs for changes to take effect
In Default Directory put Username-Password-Authentication
My auth0 was configured with a custom database, and when I was trying to get tokens using the Resource Owner Password API, I had the same issue Authorization server not configured with default connection .
The solution to this issue was:
Set the grant_type to http://auth0.com/oauth/grant-type/password-realm
Set the realm to the name of the custom database
For anyone else stumbling upon this question, you can also use the Realm property to define a specific Database connection instead of setting up a default one.
I installed Openldap in server and after that added the user into the ldap,below screen show show the added user through Apache Active Directory
Now in keycloak i added user federation as a openLdap and its connecting to ldap without any issue,but when i am trying to sync the user i am getting message
Success! Sync of users finished successfully. 0 imported users, 0
updated users
So no user import from ldap to keycloak ,below is the related ldap connection information in keycloak .
Thanks to #EricLavault and one of company colleague at last Keycloak able to import the user successfully. Below changes i have done to fix the issue.
Change the User Object Classes=*
Created a new entry ou=People then created user under it
In Keycloak used Users DN = ou=user,ou=people,dc=suredev20
After this its start throwing below exception
ERROR [org.keycloak.storage.ldap.LDAPStorageProviderFactory] (default
task-1931) Failed during import user from LDAP:
org.keycloak.models.ModelException: User returned from LDAP has null
username! Check configuration of your LDAP mappings. Mapped username
LDAP attribute: uid, user DN:
cn=subodh123,ou=user,ou=People,dc=suredev20, attributes from LDAP:
{sn=[joshi123], cn=[subodh123], createTimestamp=[20191118180647Z],
modifyTimestamp=[20191118180647Z]}
Which is fixed by using Username LDAP attribute = cn as ldap username Attribute description in openldap case bydefault cn
User entries are not stored correctly in your directory. In fact you shouldn't use cn=root as a container as it's supposed to represent the directory manager and should be used for binding and other operations but not for structuring your directory.
Instead, you should use the default user container (at least for OpenLDAP and Apache DS) that is ou=people,dc=suredev20, ie. you need to move cn=subodh
from cn=subodh,ou=user,cn=root,dc=suredev
to cn=subodh,ou=people,dc=suredev20
Also, in Keycloack you need to set users dn accordingly : ou=people,dc=suredev20
(you can try with ou=user,cn=root,dc=suredev without moving subodh entry but not recommended).
I have set the proper LDAP configuration in Sonar 5.6.6 LTS (ldap plugin v2.2.0.608) and I see in logs that the connection is established.
When I first try to login with my LDAP-login, I am able to do so, but my user has of course no permissions - that is okay.
The problem occurs, when I want to first add my user and give him i.e. sonar-administrators group. When it is set and I try to login, Sonar authenticates me not against the external system (LDAP) but uses his own data base.
I am sure it worked with Sonar 4.5 but now I cannot configure it properly.
The problem was that creation of new users adds them by default to the local database of SonarQube. To change this default behavior I found out that the REST API endpoint to create users contains the flag 'local' which defines whether the user should be considered as a local user added to the local database or he should be added as an external user authenticated again an external system like LDAP.
So final answer is to use the following REST API endpoint:
private final String CREATE_USER_API = "/api/users/create?login={login}&name={name}&local=false"
Please note the following property: local=false at the end of the string.