search

freeipa / ipa-tuura

GNU General Public License v3.0
9 stars 11 forks source link

keycloak errors on first get for ldap user #122

Open spoore1 opened 1 month ago

spoore1 commented 1 month ago

In one test environment, if I create a user in LDAP and then try to get it in Keycloak, I see a failure for the first time I run the get:

  Command:
    /opt/keycloak/bin/kcadm.sh get users -q username=domainuser181536@ldap.test
  CWD:
  Env:
  Output:
  Error output:
    HTTP error - 500 Internal Server Error

When I run a follow up get call, it works and returns the user:

[ {
  "id" : "80026f36-377b-42d3-8e49-78f218afd0e6",
  "createdTimestamp" : 1721335207332,
  "username" : "domainuser181536@ldap.test",
  "enabled" : false,
  "totp" : false,
  "emailVerified" : false,
  "disableableCredentialTypes" : [ ],
  "requiredActions" : [ ],
  "notBefore" : 0,
  "access" : {
    "manageGroupMembership" : true,
    "view" : true,
    "mapRoles" : true,
    "impersonate" : true,
    "manage" : true
  }
} ]

These are the parameters from the SCIMv2 storage plugin:

[ {
  "id" : "20bbf6d7-d323-4497-afc1-b7f0c2202aa2",
  "name" : "scim",
  "providerId" : "scim",
  "providerType" : "org.keycloak.storage.UserStorageProvider",
  "parentId" : "0569a5b3-8c85-441c-9a81-85001d4c40c0",
  "config" : {
    "domainclientid" : [ "cn=Directory Manager" ],
    "loginpassword" : [ "Password" ],
    "domainname" : [ "ldap.test" ],
    "users_dn" : [ "ou=users,dc=ldap,dc=test" ],
    "scimurl" : [ "bridge.ipa.test:443" ],
    "domainurl" : [ "ldap://rhds.ldap.test" ],
    "enabled" : [ "True" ],
    "idprovider" : [ "ldap" ],
    "keycloak_hostname" : [ "keycloak.ipa.test" ],
    "domaindesc" : [ "Bridge_to_ldap" ],
    "cacert" : [ "/etc/openldap/certs/cacert.pem" ],
    "addintgdomain" : [ "True" ],
    "domainclientsecret" : [ "Password" ],
    "extraattrs" : [ "mail:mail, sn:sn, givenname:givenname" ],
    "loginusername" : [ "scim" ]
  }
} ]

In IPA-Tuura, I see this:

{
  "schemas": [
    "urn:ietf:params:scim:api:messages:2.0:ListResponse"
  ],
  "totalResults": 1,
  "itemsPerPage": 50,
  "startIndex": 1,
  "Resources": [
    {
      "id": "100009",
      "externalId": null,
      "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:User"
      ],
      "userName": "domainuser181536@ldap.test",
      "name": {
        "givenName": null,
        "familyName": null,
        "formatted": "domainuser181536@ldap.test"
      },
      "displayName": "domainuser181536@ldap.test",
      "emails": [],
      "active": true,
      "groups": [],
      "meta": {
        "resourceType": "User",
        "location": "https://localhost/scim/v2/Users/100009"
      }
    }
  ]
}

And this is from the keycloak journal:

Jul 18 20:40:07 keycloak.ipa.test kc.sh[619506]: 2024-07-18 20:40:07,331 DEBUG [org.apache.http.wire] (executor-thread-0) http-outgoing-2 << "{"schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"], "totalResults": 1, "itemsPerPage": 50, "startIndex": 1, "Resources": 

[
  {
    "id": "100009",
    "externalId": null,
    "schemas": [
      "urn:ietf:params:scim:schemas:core:2.0:User"
    ],
    "userName": "domainuser181536@ldap.test",
    "name": {
      "givenName": null,
      "familyName": null,
      "formatted": "domainuser181536@ldap.test"
    },
    "displayName": "domainuser181536@ldap.test",
    "emails": [],
    "active": true,
    "groups": [],
    "meta": {
      "resourceType": "User",
      "location": "https://localhost/scim/v2/Users/100009"
    }
  }
]

Jul 18 20:40:07 keycloak.ipa.test kc.sh[619506]: 2024-07-18 20:40:07,339 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-0) Uncaught server error: com.fasterxml.jackson.databind.JsonMappingException: Index 0 out of bounds for length 0
spoore1 commented 1 month ago

And here is the journal entries during the failed lookup:

keycloak_user_add.log

spoore1 commented 1 month ago

FYI, I've been able to reproduce this now with manual user add on RHDS system with this ldif:

dn: ou=users,dc=ldap,dc=test
objectClass: organizationalUnit
objectClass: top
ou: users

dn: cn=rhdsuser1,ou=users,dc=ldap,dc=test
uid: rhdsuser1
cn: rhdsuser1
objectClass: top
objectClass: posixAccount
homeDirectory: /home/rhdsuser1
userPassword:: ...
gidNumber: 150006
uidNumber: 150006