keycloak errors on first get for ldap user #122
Description
In one test environment, if I create a user in LDAP and then try to get it in Keycloak, I see a failure for the first time I run the get:
Command:
/opt/keycloak/bin/kcadm.sh get users -q username=domainuser181536@ldap.test
CWD:
Env:
Output:
Error output:
HTTP error - 500 Internal Server Error
When I run a follow up get call, it works and returns the user:
[ {
"id" : "80026f36-377b-42d3-8e49-78f218afd0e6",
"createdTimestamp" : 1721335207332,
"username" : "domainuser181536@ldap.test",
"enabled" : false,
"totp" : false,
"emailVerified" : false,
"disableableCredentialTypes" : [ ],
"requiredActions" : [ ],
"notBefore" : 0,
"access" : {
"manageGroupMembership" : true,
"view" : true,
"mapRoles" : true,
"impersonate" : true,
"manage" : true
}
} ]
These are the parameters from the SCIMv2 storage plugin:
[ {
"id" : "20bbf6d7-d323-4497-afc1-b7f0c2202aa2",
"name" : "scim",
"providerId" : "scim",
"providerType" : "org.keycloak.storage.UserStorageProvider",
"parentId" : "0569a5b3-8c85-441c-9a81-85001d4c40c0",
"config" : {
"domainclientid" : [ "cn=Directory Manager" ],
"loginpassword" : [ "Password" ],
"domainname" : [ "ldap.test" ],
"users_dn" : [ "ou=users,dc=ldap,dc=test" ],
"scimurl" : [ "bridge.ipa.test:443" ],
"domainurl" : [ "ldap://rhds.ldap.test" ],
"enabled" : [ "True" ],
"idprovider" : [ "ldap" ],
"keycloak_hostname" : [ "keycloak.ipa.test" ],
"domaindesc" : [ "Bridge_to_ldap" ],
"cacert" : [ "/etc/openldap/certs/cacert.pem" ],
"addintgdomain" : [ "True" ],
"domainclientsecret" : [ "Password" ],
"extraattrs" : [ "mail:mail, sn:sn, givenname:givenname" ],
"loginusername" : [ "scim" ]
}
} ]
In IPA-Tuura, I see this:
{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:ListResponse"
],
"totalResults": 1,
"itemsPerPage": 50,
"startIndex": 1,
"Resources": [
{
"id": "100009",
"externalId": null,
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
],
"userName": "domainuser181536@ldap.test",
"name": {
"givenName": null,
"familyName": null,
"formatted": "domainuser181536@ldap.test"
},
"displayName": "domainuser181536@ldap.test",
"emails": [],
"active": true,
"groups": [],
"meta": {
"resourceType": "User",
"location": "https://localhost/scim/v2/Users/100009"
}
}
]
}
And this is from the keycloak journal:
Jul 18 20:40:07 keycloak.ipa.test kc.sh[619506]: 2024-07-18 20:40:07,331 DEBUG [org.apache.http.wire] (executor-thread-0) http-outgoing-2 << "{"schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"], "totalResults": 1, "itemsPerPage": 50, "startIndex": 1, "Resources":
[
{
"id": "100009",
"externalId": null,
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
],
"userName": "domainuser181536@ldap.test",
"name": {
"givenName": null,
"familyName": null,
"formatted": "domainuser181536@ldap.test"
},
"displayName": "domainuser181536@ldap.test",
"emails": [],
"active": true,
"groups": [],
"meta": {
"resourceType": "User",
"location": "https://localhost/scim/v2/Users/100009"
}
}
]
Jul 18 20:40:07 keycloak.ipa.test kc.sh[619506]: 2024-07-18 20:40:07,339 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-0) Uncaught server error: com.fasterxml.jackson.databind.JsonMappingException: Index 0 out of bounds for length 0