KEYCLOAK-1562 better error reporting when missing UUID on ldap user r…

…ecord
keycloak · Aug 4, 2015 · 7474a31 · 7474a31
1 parent a0197bc
commit 7474a31
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 7 deletions.
diff --git a/federation/ldap/src/main/java/org/keycloak/federation/ldap/LDAPFederationProvider.java b/federation/ldap/src/main/java/org/keycloak/federation/ldap/LDAPFederationProvider.java
@@ -147,11 +147,12 @@ public UserModel register(RealmModel realm, UserModel user) {
         if (editMode == EditMode.READ_ONLY || editMode == EditMode.UNSYNCED) throw new IllegalStateException("Registration is not supported by this ldap server");
         if (!synchronizeRegistrations()) throw new IllegalStateException("Registration is not supported by this ldap server");
 
-        LDAPObject ldapObject = LDAPUtils.addUserToLDAP(this, realm, user);
-        user.setSingleAttribute(LDAPConstants.LDAP_ID, ldapObject.getUuid());
-        user.setSingleAttribute(LDAPConstants.LDAP_ENTRY_DN, ldapObject.getDn().toString());
+        LDAPObject ldapUser = LDAPUtils.addUserToLDAP(this, realm, user);
+        LDAPUtils.checkUuid(ldapUser, ldapIdentityStore.getConfig());
+        user.setSingleAttribute(LDAPConstants.LDAP_ID, ldapUser.getUuid());
+        user.setSingleAttribute(LDAPConstants.LDAP_ENTRY_DN, ldapUser.getDn().toString());
 
-        return proxy(realm, user, ldapObject);
+        return proxy(realm, user, ldapUser);
     }
 
     @Override
@@ -232,6 +233,8 @@ protected LDAPObject loadAndValidateUser(RealmModel realm, UserModel local) {
         if (ldapUser == null) {
             return null;
         }
+        LDAPUtils.checkUuid(ldapUser, ldapIdentityStore.getConfig());
+
         if (ldapUser.getUuid().equals(local.getFirstAttribute(LDAPConstants.LDAP_ID))) {
             return ldapUser;
         } else {
@@ -257,6 +260,7 @@ public UserModel getUserByUsername(RealmModel realm, String username) {
 
     protected UserModel importUserFromLDAP(KeycloakSession session, RealmModel realm, LDAPObject ldapUser) {
         String ldapUsername = LDAPUtils.getUsername(ldapUser, ldapIdentityStore.getConfig());
+        LDAPUtils.checkUuid(ldapUser, ldapIdentityStore.getConfig());
 
         UserModel imported = session.userStorage().addUser(realm, ldapUsername);
         imported.setEnabled(true);

diff --git a/...ration/ldap/src/main/java/org/keycloak/federation/ldap/LDAPFederationProviderFactory.java b/...ration/ldap/src/main/java/org/keycloak/federation/ldap/LDAPFederationProviderFactory.java
@@ -291,6 +291,8 @@ public void run(KeycloakSession session) {
                         RealmModel currentRealm = session.realms().getRealm(realmId);
 
                         String username = LDAPUtils.getUsername(ldapUser, ldapFedProvider.getLdapIdentityStore().getConfig());
+                        exists.value = true;
+                        LDAPUtils.checkUuid(ldapUser, ldapFedProvider.getLdapIdentityStore().getConfig());
                         UserModel currentUser = session.userStorage().getUserByUsername(username, currentRealm);
 
                         if (currentUser == null) {

diff --git a/federation/ldap/src/main/java/org/keycloak/federation/ldap/LDAPUtils.java b/federation/ldap/src/main/java/org/keycloak/federation/ldap/LDAPUtils.java
@@ -81,4 +81,12 @@ public static String getUsername(LDAPObject ldapUser, LDAPConfig config) {
 
         return ldapUsername;
     }
+
+    public static void checkUuid(LDAPObject ldapUser, LDAPConfig config) {
+        if (ldapUser.getUuid() == null) {
+            throw new ModelException("User returned from LDAP has null uuid! Check configuration of your LDAP settings. UUID Attribute must be unique among your LDAP records and available on all the LDAP user records. " +
+                    "If your LDAP server really doesn't support the notion of UUID, you can use any other attribute, which is supposed to be unique among LDAP users in tree. For example 'uid' or 'entryDN' . " +
+                    "Mapped UUID LDAP attribute: " + config.getUuidLDAPAttributeName() + ", user DN: " + ldapUser.getDn());
+        }
+    }
 }
diff --git a/.../common-themes/src/main/resources/theme/base/admin/resources/partials/federated-ldap.html b/.../common-themes/src/main/resources/theme/base/admin/resources/partials/federated-ldap.html
@@ -70,21 +70,27 @@
                 <div class="col-md-6">
                     <input class="form-control" id="usernameLDAPAttribute" type="text" ng-model="instance.config.usernameLDAPAttribute" placeholder="LDAP attribute name for username" required>
                 </div>
-                <kc-tooltip>Name of LDAP attribute, which is mapped as Keycloak username. For many LDAP server vendors it's 'uid'. For Active directory it's usually 'sAMAccountName' or 'cn'</kc-tooltip>
+                <kc-tooltip>Name of LDAP attribute, which is mapped as Keycloak username. For many LDAP server vendors it can be 'uid'. For Active directory it can be 'sAMAccountName' or 'cn' .
+                    The attribute should be filled for all LDAP user records you want to import from LDAP to Keycloak.
+                </kc-tooltip>
             </div>
             <div class="form-group clearfix">
                 <label class="col-md-2 control-label" for="rdnLDAPAttribute"><span class="required">*</span> RDN LDAP attribute</label>
                 <div class="col-md-6">
                     <input class="form-control" id="rdnLDAPAttribute" type="text" ng-model="instance.config.rdnLDAPAttribute" placeholder="LDAP attribute name for user RDN" required>
                 </div>
-                <kc-tooltip>Name of LDAP attribute, which is used as RDN (top attribute) of typical user DN. Usually it's the same as Username LDAP attribute, however for Active directory it could be 'cn' when username attribute might be 'sAMAccountName' </kc-tooltip>
+                <kc-tooltip>Name of LDAP attribute, which is used as RDN (top attribute) of typical user DN. Usually it's the same as Username LDAP attribute, however it's not required.
+                    For example for Active directory it's common to use 'cn' as RDN attribute when username attribute might be 'sAMAccountName' .
+                </kc-tooltip>
             </div>
             <div class="form-group clearfix">
                 <label class="col-md-2 control-label" for="uuidLDAPAttribute"><span class="required">*</span> UUID LDAP attribute</label>
                 <div class="col-md-6">
                     <input class="form-control" id="uuidLDAPAttribute" type="text" ng-model="instance.config.uuidLDAPAttribute" placeholder="LDAP attribute name for UUID" required>
                 </div>
-                <kc-tooltip>Name of LDAP attribute, which is used as unique object identifier (UUID) for objects in LDAP. For many LDAP server vendors it's 'entryUUID' however some are different. For example for Active directory it should be 'objectGUID' </kc-tooltip>
+                <kc-tooltip>Name of LDAP attribute, which is used as unique object identifier (UUID) for objects in LDAP. For many LDAP server vendors it's 'entryUUID' however some are different. For example for Active directory it should be 'objectGUID' .
+                    If your LDAP server really doesn't support the notion of UUID, you can use any other attribute, which is supposed to be unique among LDAP users in tree. For example 'uid' or 'entryDN' .
+                </kc-tooltip>
             </div>
             <div class="form-group clearfix">
                 <label class="col-md-2 control-label" for="userObjectClasses"><span class="required">*</span> User Object Classes</label>