One question:
to set up OOD + Keycloak, do I also need to set up CILogon too?
With OnDemand if you login to Keycloak with username “foo” that username must exist on the Linux host running OnDemand. If you connected Keycloak to LDAP then the host running OnDemand must also be aware of the LDAP user using something like SSSD. You should be able to run getent passwd foo on the OnDemand host and lookup the foo user.
The error from nginx_stage about not finding testkeycloak means that if you did getent passwd testkeycloak on the OnDemand host, that should return a user.
Keycloak does not need to run as root. It can run as unprivileged user. The OnDemand stack will execute a specific command using sudo to become the user who logs into OnDemand. OnDemand itself runs as whomever is logged into OnDemand, so if I , tdockendorf logged into OSC OnDemand, the processes on the OnDemand host for my session would be running as tdockendorf. That is what nginx_stage handles among other things.
Thanks, @tdockendorf for your patient explanation! I am now understanding it more.
I have now added local user on the server, and from the OOD webportal I can login to OOD using this testkeycloak account.
Now the only issue is that I can not login using my LDAP account. On this server, I can getent passwd myusername, we use nslcd to connect ther server to an external LDAP server.
I may missed something in the “User Federation” ldap setting. Is there any way I can test on the Keycloak?
The system log about the login event is:
Oct 27 22:16:26 xxx kc.sh[3838433]: 2023-10-27 22:16:26,578 INFO [org.keycloak.storage.ldap.LDAPIdentityStoreRegistry] (executor-thread-9) Creating new LDAP Store for the LDAP storage provider: ‘ldap’, LDAP Configuration: {fullSyncPeriod=[-1], pagination=[false], startTls=[false], connectionPooling=[false], usersDn=[xxx], cachePolicy=[DEFAULT], useKerberosForPasswordAuthentication=[false], importEnabled=[false], enabled=[true], changedSyncPeriod=[-1], usernameLDAPAttribute=[cn], bindDn=[xxx], vendor=[other], uuidLDAPAttribute=[uidNumber], allowKerberosAuthentication=[false], connectionUrl=[ldaps://xxx:636], syncRegistrations=[false], authType=[simple], krbPrincipalAttribute=[krb5PrincipalName], customUserSearchFilter=[xxx], useTruststoreSpi=[always], usePasswordModifyExtendedOp=[false], trustEmail=[false], userObjectClasses=[inetOrgPerson, organizationalPerson, xxx], rdnLDAPAttribute=[cn], editMode=[READ_ONLY], validatePasswordPolicy=[false]}, binaryAttributes:
Oct 27 22:16:26 xxn kc.sh[3838433]: 2023-10-27 22:16:26,602 INFO [org.keycloak.truststore.SSLSocketFactory] (executor-thread-9) No truststore provider found - using default SSLSocketFactory
Oct 27 22:16:26 xxx kc.sh[3838433]: 2023-10-27 22:16:26,717 WARN [org.keycloak.events] (executor-thread-9) type=LOGIN_ERROR, realmId=fff93fdc-e378-4dae-ab3f-fbc985020056, clientId=ondemand, userId=null, ipAddress=xxx, error=user_not_found, auth_method=openid-connect, auth_type=code, redirect_uri=https://xxx/oidc, code_id=be92f815-af73-4866-86ea-1f7b73c55fb9, username=xxx
Hi @tdockendorf,
Here is the setting of the LDAP on Keycloak for our server, looks different from yours, maybe because we are using Keycloak 22?
"org.keycloak.storage.UserStorageProvider" : [ {
"id" : "811729e0-887e-4589-82ba-144ae72c35eb",
"name" : "ldap",
"providerId" : "ldap",
"subComponents" : {
"org.keycloak.storage.ldap.mappers.LDAPStorageMapper" : [ {
"id" : "f615204e-ca17-4e04-94a3-c84ace3e626c",
"name" : "username",
"providerId" : "user-attribute-ldap-mapper",
"subComponents" : { },
"config" : {
"ldap.attribute" : [ "cn" ],
"is.mandatory.in.ldap" : [ "true" ],
"read.only" : [ "true" ],
"always.read.value.from.ldap" : [ "false" ],
"user.model.attribute" : [ "username" ]
}
}, {
"id" : "8c80fdb2-bb16-43ff-91c4-c1d9e5c131bc",
"name" : "last name",
"providerId" : "user-attribute-ldap-mapper",
"subComponents" : { },
"config" : {
"ldap.attribute" : [ "sn" ],
"is.mandatory.in.ldap" : [ "true" ],
"always.read.value.from.ldap" : [ "true" ],
"read.only" : [ "true" ],
"user.model.attribute" : [ "lastName" ]
}
}, {
"id" : "8c80fdb2-bb16-43ff-91c4-c1d9e5c131bc",
"name" : "last name",
"providerId" : "user-attribute-ldap-mapper",
"subComponents" : { },
"config" : {
"ldap.attribute" : [ "sn" ],
"is.mandatory.in.ldap" : [ "true" ],
"always.read.value.from.ldap" : [ "true" ],
"read.only" : [ "true" ],
"user.model.attribute" : [ "lastName" ]
}
}, {
"id" : "cd971510-c509-4e91-95f6-9d1971b8ec58",
"name" : "email",
"providerId" : "user-attribute-ldap-mapper",
"subComponents" : { },
"config" : {
"ldap.attribute" : [ "mail" ],
"is.mandatory.in.ldap" : [ "false" ],
"read.only" : [ "true" ],
"always.read.value.from.ldap" : [ "false" ],
"user.model.attribute" : [ "email" ]
}
}, {
"id" : "a2315378-5159-4cd8-9c60-643778cf3175",
"name" : "creation date",
"providerId" : "user-attribute-ldap-mapper",
"subComponents" : { },
"config" : {
"ldap.attribute" : [ "whenCreated" ],
"is.mandatory.in.ldap" : [ "false" ],
"attribute.force.default" : [ "true" ],
"is.binary.attribute" : [ "false" ],
"read.only" : [ "true" ],
"always.read.value.from.ldap" : [ "true" ],
"user.model.attribute" : [ "createTimestamp" ]
}
}, {
"id" : "c63091eb-2313-4973-a394-0a095d402f36",
"name" : "first name",
"providerId" : "user-attribute-ldap-mapper",
"subComponents" : { },
"config" : {
"ldap.attribute" : [ "givenName" ],
"is.mandatory.in.ldap" : [ "true" ],
"read.only" : [ "true" ],
"always.read.value.from.ldap" : [ "true" ],
"user.model.attribute" : [ "firstName" ]
}
}, {
"id" : "cb601f3e-8db7-4e19-95a2-c79dabf312ca",
"name" : "modify date",
"providerId" : "user-attribute-ldap-mapper",
"subComponents" : { },
"config" : {
"ldap.attribute" : [ "whenChanged" ],
"attribute.force.default" : [ "true" ],
"is.mandatory.in.ldap" : [ "false" ],
"is.binary.attribute" : [ "false" ],
"always.read.value.from.ldap" : [ "true" ],
"read.only" : [ "true" ],
"user.model.attribute" : [ "modifyTimestamp" ]
}
} ]
},
and
"config" : {
"fullSyncPeriod" : [ "-1" ],
"pagination" : [ "false" ],
"startTls" : [ "false" ],
"usersDn" : [ "dc=xx,dc=xx,dc=xx" ],
"connectionPooling" : [ "false" ],
"cachePolicy" : [ "DEFAULT" ],
"useKerberosForPasswordAuthentication" : [ "false" ],
"importEnabled" : [ "false" ],
"enabled" : [ "true" ],
"bindDn" : [ "CN=xx" ],
"usernameLDAPAttribute" : [ "cn" ],
"bindCredential" : [ "xxx" ],
"changedSyncPeriod" : [ "-1" ],
"vendor" : [ "other" ],
"uuidLDAPAttribute" : [ "uidNumber" ],
"allowKerberosAuthentication" : [ "false" ],
"connectionUrl" : [ "ldaps://xx:636" ],
"syncRegistrations" : [ "false" ],
"authType" : [ "simple" ],
"krbPrincipalAttribute" : [ "krb5PrincipalName" ],
"searchScope" : [ "2" ],
"useTruststoreSpi" : [ "always" ],
"usePasswordModifyExtendedOp" : [ "false" ],
"trustEmail" : [ "false" ],
"userObjectClasses" : [ "inetOrgPerson, organizationalPerson, stonybrookEduPerson" ],
"rdnLDAPAttribute" : [ "cn" ],
"editMode" : [ "READ_ONLY" ],
"validatePasswordPolicy" : [ "false" ]
}
} ],
One thing I am thinking:
Since we are running the Keycloak on the same host as OOD, and we are using the the SSL key for both the OOD virtual host on port 443, and KC on port 8443. The SSL key is obtained by using the FQDN of the server, could this be caused by the mismatch of the SSL key when KC:8443 trying to contact the LDAP server?
Thanks!
OK I found the issue I had. It is the user object class which was set wrong. Now I can login using LDAP user account.
When I tried to compile the Keycloak-duo-spi, looks like there is an big issue:
To install maven, it will install java-jdk-1.8, while I already have java 17 which needed by Keycloak 22. I force to install maven and then removed the java 1.8. Using java 17 to compile the Keycloak-duo-spi, it then failed as:
Can any help?
Thanks!
[INFO] Error stacktraces are turned on.
[INFO] Scanning for projects…
[INFO]
[INFO] -----------------------< com.duosecurity:DuoWeb >-----------------------
[INFO] Building DuoWeb 1.3
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] — maven-clean-plugin:2.5:clean (default-clean) @ DuoWeb —
[INFO] Deleting xxx/keycloak-duo-spi/build/duo_java/DuoWeb/target
[INFO]
[INFO] — maven-resources-plugin:2.6:resources (default-resources) @ DuoWeb —
[WARNING] Using platform encoding (UTF-8 actually) to copy filtered resources, i.e. build is platform dependent!
[INFO] skip non existing resourceDirectory xxx/keycloak-duo-spi/build/duo_java/DuoWeb/src/main/resources
[INFO]
[INFO] — maven-compiler-plugin:3.1:compile (default-compile) @ DuoWeb —
[INFO] Changes detected - recompiling the module!
[WARNING] File encoding has not been set, using platform encoding UTF-8, i.e. build is platform dependent!
[INFO] Compiling 4 source files to /xxx/keycloak-duo-spi/build/duo_java/DuoWeb/target/classes
[INFO] -------------------------------------------------------------
[ERROR] COMPILATION ERROR :
[INFO] -------------------------------------------------------------
[ERROR] Source option 5 is no longer supported. Use 7 or later.
[ERROR] Target option 5 is no longer supported. Use 7 or later.
[INFO] 2 errors
[INFO] -------------------------------------------------------------
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 0.698 s
[INFO] Finished at: 2023-10-28T20:49:00-04:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:3.1:compile (default-compile) on project DuoWeb: Compilation failure: Compilation failure:
[ERROR] Source option 5 is no longer supported. Use 7 or later.
[ERROR] Target option 5 is no longer supported. Use 7 or later.
[ERROR] → [Help 1]
org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:3.1:compile (default-compile) on project DuoWeb: Compilation failure
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:213)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:154)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:146)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
at org.apache.maven.cli.MavenCli.execute (MavenCli.java:954)
at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288)
at org.apache.maven.cli.MavenCli.main (MavenCli.java:192)
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:77)
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke (Method.java:568)
at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:289)
at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:229)
at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:415)
at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:356)
Caused by: org.apache.maven.plugin.compiler.CompilationFailureException: Compilation failure
at org.apache.maven.plugin.compiler.AbstractCompilerMojo.execute (AbstractCompilerMojo.java:858)
at org.apache.maven.plugin.compiler.CompilerMojo.execute (CompilerMojo.java:129)
at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:208)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:154)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:146)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
at org.apache.maven.cli.MavenCli.execute (MavenCli.java:954)
at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288)
at org.apache.maven.cli.MavenCli.main (MavenCli.java:192)
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:77)
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke (Method.java:568)
at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:289)
at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:229)
at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:415)
at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:356)
[ERROR]
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] MojoFailureException - Apache Maven - Apache Software Foundation
Using the docker method to compile the keycloak-duo-spi, on an centos7 cmputer, also failed:
[INFO]
[INFO] — maven-clean-plugin:2.4.1:clean (default-clean) @ keycloak-duo-spi —
[INFO]
[INFO] — maven-resources-plugin:2.5:resources (default-resources) @ keycloak-duo-spi —
[debug] execute contextualize
[WARNING] Using platform encoding (ANSI_X3.4-1968 actually) to copy filtered resources, i.e. build is platform dependent!
[INFO] Copying 2 resources
[INFO]
[INFO] — maven-compiler-plugin:2.3.2:compile (default-compile) @ keycloak-duo-spi —
[WARNING] File encoding has not been set, using platform encoding ANSI_X3.4-1968, i.e. build is platform dependent!
[INFO] Compiling 2 source files to /keycloak-duo-spi/target/classes
[INFO] -------------------------------------------------------------
[ERROR] COMPILATION ERROR :
[INFO] -------------------------------------------------------------
[ERROR] /keycloak-duo-spi/src/main/java/com/mulesoft/keycloak/auth/spi/duo/DuoMfaAuthenticator.java:[25,26] error: cannot access AuthenticatorConfigModel
[INFO] 1 error
[INFO] -------------------------------------------------------------
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 15.902s
[INFO] Finished at: Sun Oct 29 01:14:51 UTC 2023
[INFO] Final Memory: 38M/323M
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:2.3.2:compile (default-compile) on project keycloak-duo-spi: Compilation failure
[ERROR] /keycloak-duo-spi/src/main/java/com/mulesoft/keycloak/auth/spi/duo/DuoMfaAuthenticator.java:[25,26] error: cannot access AuthenticatorConfigModel
[ERROR] → [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] MojoFailureException - Apache Maven - Apache Software Foundation
Any help? Thanks!
Here is error message I got when compile:
<testcase classname="com.duosecurity.duoweb.DuoTest" name="testVerifyResponse_whenExpiredResponseAndTimeSetViaParameters" time="0"/>
<testcase classname="com.duosecurity.duoweb.DuoTest" name="testVerifyResponse_whenValid" time="0.003">
<failure type="java.lang.AssertionError">java.lang.AssertionError
at org.junit.Assert.fail(Assert.java:86)
at org.junit.Assert.fail(Assert.java:95)
at com.duosecurity.duoweb.DuoTest.testVerifyResponse_whenValid(DuoTest.java:179)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:568)
at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:47)
at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:44)
at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:271)
at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:70)
at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:50)
at org.junit.runners.ParentRunner$3.run(ParentRunner.java:238)
at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:63)
at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:236)
at org.junit.runners.ParentRunner.access$000(ParentRunner.java:53)
at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:229)
at org.junit.runners.ParentRunner.run(ParentRunner.java:309)
at org.apache.maven.surefire.junit4.JUnit4Provider.execute(JUnit4Provider.java:252)
at org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4Provider.java:141)
at org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.java:112)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:568)
at org.apache.maven.surefire.util.ReflectionUtils.invokeMethodWithArray(ReflectionUtils.java:189)
at org.apache.maven.surefire.booter.ProviderFactory$ProviderProxy.invoke(ProviderFactory.java:165)
at org.apache.maven.surefire.booter.ProviderFactory.invokeProvider(ProviderFactory.java:85)
at org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:115)
at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:75)
</failure>
</testcase>
<testcase classname="com.duosecurity.duoweb.DuoTest" name="testVerifyResponse_whenInvalidUsername" time="0"/>
That Duo plugin I don’t think works with modern Keycloak. We have switched to this one: GitHub - instipod/DuoUniversalKeycloakAuthenticator: Keycloak Authenticator for Duo's new Universal Prompt.
This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.