Membership LDAP Attribute is not honored when creating and syncing group in RH-SSO

Solution Verified - Updated -

Issue

Getting the below ERROR message in RH-SSO server logs:

2019-07-09 08:43:28,380 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-8) Uncaught server error: org.keycloak.models.ModelException: Error creating subcontext [cn=blabla_bla1,ou=groups,dc=myorg,dc=example,dc=com]
    at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.createSubContext(LDAPOperationManager.java:617)
    at org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.add(LDAPIdentityStore.java:96)
    at org.keycloak.storage.ldap.LDAPUtils.createLDAPGroup(LDAPUtils.java:146)
    at org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper.createLDAPGroup(GroupLDAPStorageMapper.java:124)
    at org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper.processKeycloakGroupSyncToLDAP(GroupLDAPStorageMapper.java:436)
    at org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper.syncDataFromKeycloakToFederationProvider(GroupLDAPStorageMapper.java:394)
    at org.keycloak.services.resources.admin.UserStorageProviderResource.syncMapperData(UserStorageProviderResource.java:236)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    ...
Caused by: javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - attribute "member" not allowed
]; remaining name 'cn=blabla_bla1,ou=groups,dc=myorg,dc=example,dc=com'
    at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3185)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2891)
    at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:812)
    at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:341)
    at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:268)
    at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:202)
    at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:202)
    at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager$8.execute(LDAPOperationManager.java:599)
    at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager$8.execute(LDAPOperationManager.java:596)
    at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:746)
    at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:729)
    at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.createSubContext(LDAPOperationManager.java:596)
    ... 69 more

Environment

  • Red Hat Single Sign-On (RH-SSO)
    • 7.2
  • Configure a Keycloak group mapper with uniqueMember for Membership LDAP Attribute
  • Sync Keycloak Groups To LDAP

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In