Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-8924

Unable to create LDAP entries with the objectClass "posixAccount"

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Deferred
    • Affects Version/s: 4.6.0.Final
    • Fix Version/s: None
    • Component/s: User Federation - LDAP
    • Labels:
    • Environment:

      Host OS: unRaid
      LDAP system: openLDAP Docker container.

    • Steps to Reproduce:
      Hide
      1. Install openLDAP.
      2. Configure memberOF to set up basic groups.
      3. Create a user that has the following objectClasses:
      • objectClass: top
      • objectClass: posixAccount
      • objectClass: shadowAccount
      • objectClass: inetOrgPerson
      • objectClass: organizationalPerson
      • objectClass: person
      1. Connect Keycloak to the LDAP server. uidNumber is the UUID LDAP attribute. (I also use uid over cn, but that shouldn't matter).
      2. Test the connection, and that the user you made syncs.
      3. Try to create a new user via Keycloak's web admin console. This should fail here.
      Show
      Install openLDAP. Configure memberOF to set up basic groups. Create a user that has the following objectClasses: objectClass: top objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person Connect Keycloak to the LDAP server. uidNumber is the UUID LDAP attribute. (I also use uid over cn, but that shouldn't matter). Test the connection, and that the user you made syncs. Try to create a new user via Keycloak's web admin console. This should fail here.
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      After connecting to a openLDAP instance, keycloak can read synce users into itself, but is unable to create users in the LDAP federation. This seems to be because Keycloak isn't feeding an auto-incrementing number to create a unique id.
      gidNumber will probably have the same issue.

      posixAccount is needed as far as I know to have groups.

      Error returns as"

      Caused by: javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - object class 'posixAccount' requires attribute 'uidNumber']; remaining name 'uid=test,ou=people,dc=xxxxxx,dc=xxx'
      

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                ryonez Ryonez Coruscare
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: