I've setup keycloak to import users from an openldap server. As a test run, I went with the default h2 to see if I could get it running. It connects and authenticates correctly. Once I hit synchronize all users, it reports back Success x imported users, 0 changed users. After going into Manage=>Users and clicking on View all Users, it only shows a generic Username user with the email user#user.com.
The only information I get from server.log is the warning message below.
I'm not sure what direction to look for how to fix this. Is there some sort of other place I should look for an error message or some other thing I should try?
2018-12-19 15:56:31,209 WARN [org.keycloak.models.sessions.infinispan.changes.InfinispanChangelogBasedTransaction] (default task-7) Not present cache item for key LoginFailureKey [ realmId=namis. userId=14ed02d1-3ac3-4911-a377-80863f2bde70 ]
Update:
I checked the user_entity table after import and the users are there. Once I go to Manage Users, the users from the realm disappear from the database.
I turned on trace level logging and found the error message
[org.keycloak.storage.UserStorageManager] (default task-1) Removed invalid user 'John Doe'
I searched through the source code and found the function,importValidation, that calls the function which removes the user. This seems to happen when a storage provider is null or validate is called on a user and realm and it returns a null UserModel.
I also had this issue today and it's possible to just remove the username mapper altogether, as the username attribute is already mapped from Username LDAP attribute in User Federation settings.
It turns out I had one of the mappers incorrect. The username mapper was not mapped to the correct ldap attribute.
Related
I have keycloak on docker (v20.0.2) and as you know some versions change some or good part of the UI, so is hard to follow tutorials around the web...
I am trying to follow this particular tuto
https://developers.redhat.com/blog/2020/11/24/authentication-and-authorization-using-the-keycloak-rest-api#keycloak_sso_demo
that seems the more updated. My keycloak is actually behind traeffic and thomseddon/traeffic-fordward-auth with a docker-compose file (but the connection through traeffic is good and I have acces to admin UI)
So on step 10 of the tutorial things change for me, I have to look for that particular view inside:
Click on lateral menu Client Scope
Click on button Create client scope
Give a name to the scope, and click on Tab Mapper
All mappers are predefined... so there is no "New mapper" don't understand this bit
then just follow the tuto
With that series of steps I get an error when retriving the token...
https://keycloak:8443/realms/education/protocol/openid-connect/token
enter image description here
(this are fake local data from the realm I created for testing)
that responds with a or something similar I have also tried to change the grant_type to password, and the same happens can not query the token....
{
"error": "invalid_client",
"error_description": "Invalid client or Invalid client credentials"
}
But if I do not link a user with an scope/role as in the tuto suggest then I get the token, but of course I want to use the role or scope to limit who can see which endpoint and who can not
Any step that I'm missing from this update, do you have the same error?
Thank you in advance
I have tried to run it with different combinations of options to see if there is a toggle that actually allows me to fetch the token
Also with different types of grant_type
I will build an API in Python (I don't know Java and prefer Json instead of XML) that connect to this keycloak to allow users or not based on their scope/role/permission or something
I need to be able to block user so if user Student try to access an url from another Student he get blocked that url. So is based on the role or scope or I don't know which is prefered or easer to accomplish, the mission is to block users or not based on a factor that could be used for this in keycloak.
When using Keycloak as an Identity Broker there seems to be an issue with some usernames. Default behavior of Keycloak is that when some info (username/email/firstname/lastname) is missing the "Update Account Information" is displayed.
So far so good. The issue though is that you can actually save an invalid username that way, e.g. (asd/fölkj - notice the slash). Now I basically created a broken user that can no longer be modified, not even using the Admin-UI:
[
You can't save it like that because the username is invalid, but you can't change the username since it is read-only.
This seems to be a bug. The bigger issue for me though is that the IDP we are connecting to does not return the email-claim (otherwise I could use that as username too). It only returns a "sub" and since sadly this DOES contain slashes the account is broken if the user does not pick another username. I took a look at the "UsernameTemplateMapper", but they seem a bit limited. Is there any way to just remove all slashes from the "sub"-claim and STILL use it as default username?
I know there's an earlier question with this subject here, but the OP never reported if the one answer resolved the issue. And since
Internal Server Error
is about as user-unfriendly as you can get, I would love to change this to something that feels more like "a message" than "an anvil dropped on your foot".
I have found one other SO post that tangentially relates to this issue (about that disappearing "duplicate emails" switch), but the problem is indeed not about whether or not to allow duplicate emails (or how to revive hidden admin controls) but how a very ordinary issue is communicated to the user - well, like how Keycloak notifies the user when they try and register with an existing username.
We're currently using the Docker version of Keycloak 12.0.4 with some customisations (a custom BCrypt module, some logging changes) running in IBM Cloud, using a Postgresql DB. We also added a custom theme & internationalisation. The same error occurs also when using the default Keycloak theme, though.
Here are our Login settings:
It turned out to be a configuration issue, but so deeply hidden that even the Keycloak developer who looked into the ticket I created had glossed over it.
The perpetrator was in menu Configure > Authentication > tab: Flows > choose dropdown: Registration > Profile validation radio button [o REQUIRED | o DISABLED]
This was set to disabled, which in effect prevents the duplicate email check in the registration form that the Realm settings > tab: Login form suggest are active. But then, of course, the database won't like that, with above-mentioned result.
This combination of settings should at least issue a warning, of course. I hope this will be corrected.
I have created dashboard and shared it to other computer which is demo user with the role-> kibana_dashboard_only_user.
now when i open shared with demo user login credentials it shows error like
Internal Server Error
Error: Internal Server Error
SearchError#http://10.42.35.14:5601/bundles/commons.bundle.js:3:298201
_callee2$/<.searching</<#http://10.42.35.14:5601/bundles/commons.bundle.js:4:324908
processQueue#http://10.42.35.14:5601/built_assets/dlls/vendors.bundle.dll.js:427:199687
scheduleProcessQueue/<#http://10.42.35.14:5601/built_assets/dlls/vendors.bundle.dll.js:427:200650
$digest#http://10.42.35.14:5601/built_assets/dlls/vendors.bundle.dll.js:427:210412
$apply#http://10.42.35.14:5601/built_assets/dlls/vendors.bundle.dll.js:427:213219
done#http://10.42.35.14:5601/built_assets/dlls/vendors.bundle.dll.js:427:132717
completeRequest#http://10.42.35.14:5601/built_assets/dlls/vendors.bundle.dll.js:427:136329
requestLoaded#http://10.42.35.14:5601/built_assets/dlls/vendors.bundle.dll.js:427:135225
Does the user have read permissions on the index? Just dashboard permissions alone are not enough; this is unfortunately not super obvious.
The user (or role) needs to have at least the read permission on the desired index in addition to the dashboard-only role.
Check the documentation here:
https://www.elastic.co/guide/en/kibana/current/xpack-dashboard-only-mode.html#grant-read-access-to-indices
BTW the feature has generally been reworked and is deprecated in the old form
I have configured request tracker4 to be an interdepartmental helpdesk solution. The current setup is that users will login to RT using LDAP. Once logged in there account is automatically created. However, their account is created with no privileges.
To fix this I have been having to go to Tools-->Configuration-->Select then put in the users DN name and clicking add I then have to check the box "Let this user be granted rights (Privileged)" I have also tried setting Set($AutoCreate, Privileged); but no luck.
I looked at the user accounts in the sqlite database and noticed that when new user logs in they are indeed created in the database. But with no privileges.
709|tuser3|*NO-PASSWORD*|||||||tuser3|||||||tuser3||tuser3|||||||||||||1|2013-03-08 13:47:38|1|2013-03-08 13:47:38
791|Mayra|*NO-PASSWORD*||||Mayra#**************||Main Office|Mayra Hernandez|||||||Mayra||Mayra||**************|||||||||||1|2013-04-03 21:46:36|1|2013-04-03 21:46:36
797|sdrakeford|*NO-PASSWORD*||Autocreated when added as a watcher||sdrakeford#**************|||Sophia C. Drakeford|||||||sdrakeford||sdrakeford|||||||||||||1|2013-04-04 13:18:58|1|2013-04-04 13:18:58
827|Robert.Troy|*NO-PASSWORD*||||Robert.Troy#*******************||Main Office|Robert Troy|||||||Robert.Troy||Robert.Troy||***************|||||||||||1|2013-04-04 16:11:58|1|2013-04-04 16:11:59
Am I missing something, because usually these things are quite obvious.
The $AutoCreate option takes a hashref with all of the default options you want to pass to the User Create method. Try something like:
Set($AutoCreate, {
Privileged => 1
});
(As an aside, it's generally not recommended to run a production instance on sqlite. You might want to consider converting to MySQL or Postgres.)