Modify error 'Could not modify attribute for DN' in Keycloak/RHBK

Solution Unverified - Updated -

Environment

  • Red Hat Build of Keycaloak(RHBK)
    • 24.x
    • 22.x

Issue

  • when a user try to reset a password that doesn't meet the user policy then getting the error
'Could not modify attribute for DN'

We would be looking to give a generic message to users when it fails to change the password.

  • The error could be better if this more generic to the user just say something along lines of 'Unable to update
    password, talk with your administrator'. Does it possible to modify ?
  • Looking for a generic message to users when it fails to change the password or have keycloak support password
    policy applied to the user.

Resolution

  • In the server.log post error "Could not modify attribute for DN" continuation message seems to be more clear for example: error=password_rejected, type=UPDATE_PASSWORD_ERROR during the reset password.
DEBUG [org.hibernate.internal.util.EntityPrinter] (executor-thread-1) org.keycloak.events.jpa.EventEntity{clientId=xi, realmId=customer, ipAddress=0.0.0.0, detailsJsonLongValue={"reason":"Could not modify attribute for DN [uid=keycloak,ou=users,dc=test,dc=cloud,dc=com,dc=au]","auth_method":"saml","custom_required_action":"UPDATE_PASSWORD","response_type":"code","redirect_uri":"https://test.keycloak.com.ou/callback?client_name=SAML2Client","remember_me":"false","code_id":"123567-f70d-7654-aa67-367890","response_mode":"query","username":"keycloak"}, id=ee8ecd8f-5647-4bda-8b74-73736tef, sessionId=null, time=73737373737, error=password_rejected, type=UPDATE_PASSWORD_ERROR, userId=f50bba51-8383-0303-i3wi-2929298, detailsJson=null}
07:34:05,453 TRACE [org.hibernate.event.internal.AbstractFlushingEventListener] (executor-thread-1) Executing flush

To modify more generic message use custom theme. Red Hat build of Keycloak provides theme support for web pages and emails. This allows customizing the look and feel of end-user facing pages so they can be integrated with applications.

A theme can provide one or more types to customize different aspects of Red Hat build of Keycloak.

Diagnostic Steps

  • Enable 'trace' level logging on org.keycloak and check the logs.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments