search cancel

IAM LDAP Authentication fails with error: Null keys are not supported

book

Article ID: 134302

calendar_today

Updated On:

Products

CA Application Test

Issue/Introduction

Logging in with a userid defined in LDAP fails and shows the following error in the server.log from IAM: 

2019-06-04 16:05:51,467 ERROR [org.keycloak.events.EventBuilder] (default task-30) Failed to save event: java.lang.NullPointerException: Null keys are not supported!

2019-06-04 16:05:51,467 WARN [org.keycloak.events] (default task-30) type=LOGIN_ERROR, realmId=service_virtualization, clientId=virtual-service-catalog, userId=null, ipAddress=a.b.c.d, error=invalid_user_credentials, auth_method=openid-connect, grant_type=password, client_auth_method=client-secret, username=abc

The instructions from the documentation were followed:

https://docops.ca.com/devtest-solutions/10-5/en/administering/security/identity-and-access-manager/configure-user-federation-ldap

Imported an existing working LDAP configuration into IAM (authentication-providers.xml)

The 'Test connection' and 'Test authentication' worked without error.

Environment

Release : 10.x

Component : CA Application Test

Resolution

1) In IAM the User Federation settings were changed.

ou in Users DN was changed from:

ou=XYZ Accounts,DC=au,DC=example,DC=com

to:

ou=ABC Accounts,DC=au,DC=example,DC=com

Note: AD explorer can be used to identify the group or ou that should be used for the Users DN.

2) In IAM the User Federation group settings were changed:

LDAP Groups DN from:

OU=groups,DC=au,DC=example,DC=com

to:

DC=au,DC=example,DC=com

Note: LDAP filter can be used to limit the number of groups that will need to be synced.

Or a specific LDAP group can be specified to sync.

If LDAP is only used for authentication and not to assign Roles to LDAP groups, then there is no need to sync groups.

Additional Information

Note that when setting up an additional User Federation for a different group of users, that these users have at least one default role.