Multiple ldap-connections no longer supported in v21

1

I installed keycloak v21.0.1.
More then one ldaps-connection is not supported anymore.
Is this a bug or is it policy?

1 Like
2

I don’t know if it’s associated with Keycloak 21 or Java 17 but I upgraded both this morning (from Keycloak 20 and Java 11) and found that my LDAP configuration using space-separated URLs stopped working. Logs show:

java.lang.IllegalArgumentException: URI 'ldaps://foo:636 ldaps://bar:636 ldaps://baz:636' is not valid.

The only reference I can find relevant is here, talking about stricter parsing of URL strings, but setting -Dcom.sun.jndi.ldapURLParsing="legacy" didn’t seem to help.

For now I’m running through a load-balancer, but if anyone has any feedback on how to support redundant LDAP servers natively it would be appreciated.

Thanks.

3

Hi Craig,

I faced the same issue, and created a ticket. But it is removed while there is already a ticket of this issue:

https://github.com/keycloak/keycloak/issues/17359

I’m also facing another bug:

LDAP Groups can not be edited
https://github.com/keycloak/keycloak/issues/17464

If I face issues, I suppose there will be much more bugs experienced by others. So I don’t understand why this very buggy version is already released.

It looks like that the users are used as a free test-team :frowning:.

It is really a problem, while because of a vulnerability we have to upgrade Keycloak, but because of these bugs it cannot be done.

4

Yes, that’s usually not a good strategy and I also don’t like it, but also remember that you don’t pay for using Keycloak! There are always two sides of the sword.

5

I solved this. The causes of the problem were:

  1. Some users in the concerned groups had equal emailaddresses. This problem is tackled by:
    Realm-settings/login/Allow Duplicate emails and Disable Login with email
  2. Change an attribute in the LDAP-settings:
    Change user-federation/ldap/RDN LDAP attribute in “cn”
6

I am often starting a discussion when I read the “it is free” argument. When you do something for free your are not cleared of any obligations or professional attitude.

When your kid receives candy for free, you also require it to be clean and not from the floor. When your kid is taken across the road by a traffic volunteer, do you want this volunteer to have the attitude “I do it for free, so it does not matter if the kids get run over by cars”

7

Instead of using ldaps://
use comma separated values like:

ldap://your1.ldap.com, ldap://your2.ldap.com