Membership LDAP Attribute is not honored when creating and syncing group in RH-SSO
Issue
Getting the below ERROR message in RH-SSO server logs:
2019-07-09 08:43:28,380 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-8) Uncaught server error: org.keycloak.models.ModelException: Error creating subcontext [cn=blabla_bla1,ou=groups,dc=myorg,dc=example,dc=com]
at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.createSubContext(LDAPOperationManager.java:617)
at org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.add(LDAPIdentityStore.java:96)
at org.keycloak.storage.ldap.LDAPUtils.createLDAPGroup(LDAPUtils.java:146)
at org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper.createLDAPGroup(GroupLDAPStorageMapper.java:124)
at org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper.processKeycloakGroupSyncToLDAP(GroupLDAPStorageMapper.java:436)
at org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper.syncDataFromKeycloakToFederationProvider(GroupLDAPStorageMapper.java:394)
at org.keycloak.services.resources.admin.UserStorageProviderResource.syncMapperData(UserStorageProviderResource.java:236)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
...
Caused by: javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - attribute "member" not allowed
]; remaining name 'cn=blabla_bla1,ou=groups,dc=myorg,dc=example,dc=com'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3185)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2891)
at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:812)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:341)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:268)
at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:202)
at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:202)
at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager$8.execute(LDAPOperationManager.java:599)
at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager$8.execute(LDAPOperationManager.java:596)
at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:746)
at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:729)
at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.createSubContext(LDAPOperationManager.java:596)
... 69 more
Environment
- Red Hat Single Sign-On (RH-SSO)
- 7.2
- Configure a Keycloak group mapper with
uniqueMember
forMembership LDAP Attribute
- Sync Keycloak Groups To LDAP
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.