Error -- failed to map user (keycloak, dex with ldap, google id)

Dear all,

i installed ondemand in rocky with a valid domaine name and certificate, however none of openID services can login to ondemand, all have te same error after succing login in the openID provider. it cannot redirect to open ondemand session “Error – failed to map user …”.

i tried; keycloak, dex ith ldap, google id, all the same error

ondemand version :3.0
user_map_match: ‘.*’

example of logs of goole (same or keycloak or dex with ldap):
[lua:debug] [pid 33201:tid 139804968724224] @/opt/ood/mod_ood_proxy/lib/ood/user_map.lua(21): [client] Mapped ‘’ => ‘’ [4.635 ms], referer:
[Mon Apr 10 21:54:50.067008 2023] [lua:debug] [pid 33201:tid 139804968724224] lua_request.c(1868): [client] AH01488: request_rec->dispatching user → string, referer:
[Mon Apr 10 21:54:50.067023 2023] [lua:debug] [pid 33201:tid 139804968724224] lua_request.c(1860): [client] AH01487: request_rec->dispatching write → lua_CFunction, referer:
[Mon Apr 10 21:54:50.067942 2023] [lua:debug] [pid 33201:tid 139804968724224] lua_request.c(1850): [client] AH01486: request_rec->dispatching subpr

As long as you have ondemand-dex installed it’ll use some defaults. If you’re trying to use google directly (which is fine), then you have to remove that package first.

Once you remove that package, I’m sure keycloak or google directly would work.

Thank you for responce, yes i have remove ondemand-dex and sometime i create new machines without installed it in at all. however, even when i can identify with keycloak and others but when it redirect to ondemand the error show up “Error – failed to map user …”

maybe there is problem in vm rocky, permission, really i don’t understund.

my setup:
vm_1: rocky 8.7 with domain name and ssl (i have tested the same also in ubuntu)
vm_2: keycloak with domaine name for example
install ondemand 3.0 as in intstructions
create client ondemand, and create some users in keycloak
user_map_match: ‘.*’

when enter to ondemand, it redirect me to keycloak, then i succeed to loging but then the error come :frowning:

thank you in advance all your help

With this config, you should be able to map any user. In fact you should be getting a different error about not being able to find the user.

The only thing I can think of is you’re using user_map_cmd and that’s overriding user_map_match.

If you search the conf file for MATCH, what does this return? What’s being used in the apache config?

[root@3384d5b1413f ~]# grep MATCH /etc/httpd/conf.d/ood-portal.conf
  SetEnv OOD_USER_MAP_MATCH "^([^@]+)@.*$"

i have generate another vm and installed ondemand from scratch and without dex, configured with open id and test it with keyckoak and google, and the same error apear !!!

i have this output (SELINUX disable):

[rocky@ondemand ~]$ sudo grep MATCH /etc/httpd/conf.d/ood-portal.conf

sometimes when i play with user_map_match or cmd using simple scripr mapping i have this errors:
Error – can’t find user for nassim09
Run ‘nginx_stage --help’ to see a full list of available command line options.
@/opt/ood/mod_ood_proxy/lib/ood/user_map.lua(21): Mapped ‘’ => ‘nassim09’ [13.879 ms]

AH01487: request_rec->dispatching info → lua_CFunction
[Wed Apr 12 08:56:45.887083 2023] [lua:info] [pid 98960:tid 140395515041536] [client] req_handler=“” req_protocol=“HTTP/1.1” req_origin=“” res_content_length=“116” res_content_language=“” res_content_disp=“” req_filename=“/var/www/html/pun” req_accept_encoding=“gzip, deflate, br” req_accept_language=“fr” req_accept=“text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7” req_method=“GET” allowed_hosts=“plateforms” res_content_location=“” req_hostname=“plateforms” req_is_https=“true” res_location=“” log_id=“ZDZyRtDoEpM08@EME0-jBgAAAIQ” req_cache_control=“max-age=0” req_content_type=“” req_server_name=“plateforms” local_user=“nassim09” res_content_encoding=“” req_is_websocket=“false” req_user_ip= " req_uri=“/pun/sys/dashboard” time_user_map=“13.879” time_proxy=“0” log_time=“2023-04-12T08:56:45.886174.0Z” res_content_type=“” req_referer=“” req_port=“443” remote_user="" req_status=“404” req_accept_charset=“” log_hook=“ood” req_user_agent=“Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ Safari/537.36 Edg/111.0.1661.62”

  1. here is ood_portal in apache:

OIDCProviderMetadataURL https://keycloak/auth/realms/ondemand/.well-known/openid-configuration
OIDCClientID ondemand
OIDCClientSecret …
OIDCRedirectURI https://plateforms/oidc
OIDCRemoteUserClaim preferred_username
OIDCScope “openid profile”
OIDCCryptoPassphrase …
OIDCSessionInactivityTimeout 28800
OIDCSessionMaxDuration 28800
OIDCStateMaxNumberOfCookies 10 true
OIDCCookieSameSite Off
OIDCPassClaimsAs environment
OIDCPassIDTokenAs serialized
OIDCPassRefreshToken On
OIDCStripCookies mod_auth_openidc_session mod_auth_openidc_session_chunks mod_auth_openidc_session_0 mod_auth_openidc_session_1

LuaRoot “/opt/ood/mod_ood_proxy/lib”
LogLevel lua_module:debug

LuaHookLog logger.lua logger


SetEnv OOD_PUN_STAGE_CMD “sudo /opt/ood/nginx_stage/sbin/nginx_stage”

SetEnv OOD_ALLOWED_HOSTS “plateforms”

The wierd thing, even with basic auth, i can loging but same error !!!


  • ‘AuthType Basic’
  • ‘AuthName “private”’
  • ‘RequestHeader unset Authorization’
  • ‘AuthUserFile /etc/httpd/.htpasswd’
  • ‘Require valid-user’

The configuration that got you here is good. This is what you’d want to see. Of course you need to actually have the the Linux local user nassim09. That’s what this error is referring to, we’re able to map you correctly to a user, only that user doesn’t exist on the system. Without tying into an LDAP you’d have to create these users manually.

1 Like