local user login not possible after LDAP connection problem

[go-ma123]

Before reporting an issue

• I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

ldap

Describe the bug

Hi team,

we have configured keycloak version 24.0.3 with a ldap user federation. In addition, we have a local user with admin right for the realm as a fallback. When there are problems with the ldap connection, e.g., ldap binding credentials changes on ldap side, it is not possible to log in to the realm. Even with the local admin user.

Version

24.0.3

Regression

• The issue is a regression

Expected behavior

Administrator account stored in the local Keycloak user database can be used in case of problems connecting to your LDAP.

Actual behavior

Administrator account stored in the local Keycloak user database can not log in case of problems connecting to your LDAP.

How to Reproduce?

1. setup realm
2. create admin account in local keycloak database
3. configure a valid LDAP connection
4. Interrupt LDAP connection (e.g. changing the binding credentials or changing the ldap url)
5. log in with local admin account -> log in error

Anything else?

[martin-kanis]

@go-ma123 Thanks for reporting of the issue. This is similar as #23913, #25129 issues that we decided to close. I agree that the usecase you describe make sense to fix, and local Keycloak admin should be allowed to be logged into the admin console in order to fix connection to the LDAP server.
Nevertheless, this issue is not a regression and was present in older Keycloak releases.

[go-ma123]

@martin-kanis : thank you for response. I don't think it is similar to the mentioned issues. The keycloak documentation say that we should create a local account to react on ldap connection issues: https://www.keycloak.org/docs/latest/server_admin/index.html#dealing-with-provider-failures.
But we can't log in with this local account.

[martin-kanis]

@go-ma123 I see. Did you create the local user after you configured the LDAP? Because based on the LDAP settings, the local user could be synchronized with the LDAP. And then when you are trying to authenticate, it is also trying to check the user in the LDAP.

[go-ma123]

@martin-kanis : we create the user before we configured LDAP. To log in with a local account when ldap had connection issues worked fine with 23.0.7 and earlier. That's why it is a regression in my opinion.

[martin-kanis]

Hmm OK, then it indeed seems to be little bit different and worse issue. Thanks for additional info.

[sguilhen]

This was fixed by #29134 which was merged yesterday. The fix will be backported to Keycloak 24 branch.

[sguilhen]

Backport PR that also fixes this issue: #29219