Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-8525

No support for AD range retrieval in LDAP user federation

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Deferred
    • Affects Version/s: 3.4.3.Final
    • Fix Version/s: None
    • Component/s: User Federation - LDAP
    • Labels:
    • Environment:

      Linux (Ubuntu 16.04)
      Active directory 2008 and 2012R2

    • Steps to Reproduce:
      Hide
      • Have an active directory with a group which contains at least MaxValRange members. MaxValRange was 1500 in our case.
      • Configure a keycloak ldap user federation provider to connect to the AD server, and configure a role-ldap-mapper (see also screenshot)
      • Try to add the role which has more than the MaxValRange limit amount of users to a user
      Show
      Have an active directory with a group which contains at least MaxValRange members. MaxValRange was 1500 in our case. Configure a keycloak ldap user federation provider to connect to the AD server, and configure a role-ldap-mapper (see also screenshot) Try to add the role which has more than the MaxValRange limit amount of users to a user
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      Active directory uses something called range retrieval for attributes, when the number of attributes exceeds a certain limit (around 1500 most of the time). This is eg happening for the member attribute of a group.
      When you configure an ldap user federation to use Active directory, and you configure a role-ldap-mapper for that user federation to retrieve which roles users have, adding a role to the user, where the role already has more than the limit, the addition will fail with an error message:

      Uncaught server error: org.keycloak.models.ModelException: Could not modify attribute for DN [CN=xxxxxxx,OU=Roles,OU=Customers,DC=xxxxxxxx,DC=com]
       at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.modifyAttributes(LDAPOperationManager.java:569)
       at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.modifyAttributes(LDAPOperationManager.java:110)
       at org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.update(LDAPIdentityStore.java:112)
       at org.keycloak.storage.ldap.LDAPUtils.addMember(LDAPUtils.java:181)
       at org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapper.addRoleMappingInLDAP(RoleLDAPStorageMapper.java:262)
       at org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapper$LDAPRoleMappingsUserDelegate.grantRole(RoleLDAPStorageMapper.java:380)
       at org.keycloak.models.cache.infinispan.UserAdapter.grantRole(UserAdapter.java:316)
       at org.keycloak.services.resources.admin.RoleMapperResource.addRealmRoleMappings(RoleMapperResource.java:236)
      …
      Caused by: javax.naming.directory.NoSuchAttributeException: [LDAP: error code 16 - 00000057: LdapErr: DSID-0C090C03, comment: Error in attribute conversion operation, data 0, v1db1]; remaining name ‘CN=xxxxx,OU=Roles,OU=Customers,DC=xxxxxx,DC=com'
       at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3175)
       at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100)
       at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2891)
       at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1475)
       at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:277)
       at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:192)
       at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:181)
       at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:167)
       at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:167)
      

      Some more information about range retrieval:
      https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ldap/searching-using-range-retrieval

      A temporary work around is to increase the range retrieval limit (MaxValRange), although there are some hard limits there. See https://support.microsoft.com/en-us/help/315071/how-to-view-and-set-ldap-policy-in-active-directory-by-using-ntdsutil on how to change that limit.

      The following old post also has a good explanation and shows the difference between paging and range retrieval: https://community.oracle.com/thread/1157644.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  sidneybeekhoven Sidney Beekhoven
                • Votes:
                  1 Vote for this issue
                  Watchers:
                  6 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: