Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

User lookup fails in keycloak due to null familyName and null givenName #56

Closed
justin-stephenson opened this issue Jul 11, 2023 · 3 comments
Closed

User lookup fails in keycloak due to null familyName and null givenName #56

justin-stephenson opened this issue Jul 11, 2023 · 3 comments

Comments

@justin-stephenson
Copy link
Collaborator 

[root@client ~]# ipa user-show testuser1 --all --raw
  dn: uid=testuser1,cn=users,cn=accounts,dc=ipa,dc=test
  uid: testuser1
  givenname: test
  sn: user
  cn: testuser1
  initials: tu
  homedirectory: /home/testuser1
  gecos: test user
  loginshell: /bin/sh
  krbcanonicalname: testuser1@IPA.TEST
  krbprincipalname: testuser1@IPA.TEST
  mail: testuser1@ipa.test
  uidnumber: 1319600004
  gidnumber: 1319600004
  nsaccountlock: FALSE
  has_password: FALSE
  has_keytab: FALSE
  displayName: test user
  ipaNTSecurityIdentifier: S-1-5-21-3608036487-284666822-748930798-1004
  ipaUniqueID: 2c791fd0-1ff1-11ee-abe2-fa163e14acb1
  memberof: cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=test
  mepManagedEntry: cn=testuser1,cn=groups,cn=accounts,dc=ipa,dc=test
  objectClass: top
  objectClass: person
  objectClass: organizationalperson
  objectClass: inetorgperson
  objectClass: inetuser
  objectClass: posixaccount
  objectClass: krbprincipalaux
  objectClass: krbticketpolicyaux
  objectClass: ipaobject
  objectClass: ipasshuser
  objectClass: ipaSshGroupOfPubKeys
  objectClass: mepOriginEntry



[root@client ~]# curl -b cookies.txt -X POST -d @filter_testuser1.json "http://127.0.0.1:8000/scim/v2/Users/.search" |json_pp 
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   665  100   551  100   114  22569   4669 --:--:-- --:--:-- --:--:-- 30227
{
   "Resources" : [
      {
         "active" : true,
         "displayName" : "testuser1",
         "emails" : [
            {
               "primary" : true,
               "value" : "testuser1@ipa.test"
            }
         ],
         "externalId" : null,
         "groups" : [],
         "id" : "1319600004",
         "meta" : {
            "location" : "https://localhost/scim/v2/Users/1319600004",
            "resourceType" : "User"
         },
         "name" : {
            "familyName" : null,
            "formatted" : "testuser1",
            "givenName" : null
         },
         "schemas" : [
            "urn:ietf:params:scim:schemas:core:2.0:User"
         ],
         "userName" : "testuser1"
      }
   ],
   "itemsPerPage" : 50,
   "schemas" : [
      "urn:ietf:params:scim:api:messages:2.0:ListResponse"
   ],
   "startIndex" : 1,
   "totalResults" : 1
}



2023-07-11 10:15:12,242 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-31) Uncaught server error: com.fasterxml.jackson.databind.JsonMappingException: Cannot invoke "String.equals(Object)" because the return value of "org.keycloak.models.UserModel.getFirstName()" is null
        at com.fasterxml.jackson.databind.ser.DefaultSerializerProvider._wrapAsIOE(DefaultSerializerProvider.java:509)
        at com.fasterxml.jackson.databind.ser.DefaultSerializerProvider._serialize(DefaultSerializerProvider.java:482)
        at com.fasterxml.jackson.databind.ser.DefaultSerializerProvider.serializeValue(DefaultSerializerProvider.java:400)
        at com.fasterxml.jackson.databind.ObjectWriter$Prefetch.serialize(ObjectWriter.java:1514)
        at com.fasterxml.jackson.databind.ObjectWriter.writeValue(ObjectWriter.java:1007)
@justin-stephenson
Copy link
Collaborator Author

Hi @f-trivino I looked into this more, it appears the ldap_user_extra_attrs line is not being added to sssd.conf during the intg domain add operation (Adding it manually fixes the issue)., even though the ipa-client-install on the bridge is successful and the plugin is added successfully.

ldap_user_extra_attrs = mail:mail, sn:sn, givenname:givenname

I am testing using ipa-tuura master, on the keycloak system I use following commands to add the plugin and then test a user lookup. scimurl is replaced with the system IP address I am deploying with IDM-CI.

./kcadm.sh config credentials \
    	--server http://localhost:8080 \
    	--realm master --user admin --password redhat

./kcadm.sh create components \
	-r master \
	-s name=scimipa \
	-s providerId=scim \
	-s providerType=org.keycloak.storage.UserStorageProvider \
	-s 'config.scimurl=["10.0.198.183:8000"]' \
	-s 'config.loginusername=["djangoadmin"]' \
	-s 'config.loginpassword=["redhat"]' \
	-s 'config.domain=["http://server.ipa.test"]' \
	-s 'config.domainname=["ipa.test"]' \
	-s 'config.domaindesc=["Bridge_to_ipa"]' \
	-s 'config.domainurl=["https://server.ipa.test"]' \
	-s 'config.domainclientid=["admin"]' \
	-s 'config.domainclientsecret=["Secret123"]' \
	-s 'config.idprovider=["ipa"]' \
	-s 'config.cacert=["/etc/ipa/ca.crt"]' \
	-s 'config.extraattrs=["mail:mail, sn:sn, givenname:givenname"]' \
	-s 'config.users_dn=["ou=people,dc=ipa,dc=test"]' \
	-s 'config.addintgdomain=["True"]' \
	-s 'config.delintgdomain=["True"]'

The plugin sends the outgoing POST to the domains endpoint:

2023-07-24 12:14:56,968 DEBUG [org.apache.http.wire] (executor-thread-3) http-outgoing-1 >> "{"integration_domain_url":"https://server.ipa.test","name":"ipa.test","description":"Bridge_to_ipa","client_id":"admin","client_secret":"Secret12
3","id_provider":"ipa","user_extra_attrs":"mail:mail, sn:sn, givenname:givenname","ldap_tls_cacert":"/etc/ipa/ca.crt","users_dn":"ou=people,dc=ipa,dc=test"}"

Successful response from ipa-tuura

2023-07-24 12:15:14,261 INFO  [keycloak.scim_user_spi.Scim] (executor-thread-3) Result is {"id":2,"name":"ipa.test","description":"Bridge_to_ipa","integration_domain_url":"https://server.ipa.test","client_id":"admin","client_secret":"Secret123","id_provider":"ipa","user_extra_attrs":"mail:mail, sn:sn, givenname:givenname","user_object_classes":"","users_dn":"ou=people,dc=ipa,dc=test","ldap_tls_cacert":"/etc/ipa/ca.crt"}
2023-07-24 12:15:14,262 INFO  [keycloak.scim_user_spi.SCIMUserStorageProviderFactory] (executor-thread-3) Add intgDomains Result is true

@spoore1
Copy link
Collaborator

spoore1 commented Oct 5, 2023
edited
Loading

@justin-stephenson Is this one fixed by #61 ?

@justin-stephenson
Copy link
Collaborator Author

@spoore1 Yes that should fix this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@spoore1 @justin-stephenson