[keycloak-dev] Suggestion and fix for e-Directory federation provider

Marek Posolda mposolda at redhat.com
Fri Dec 2 04:04:42 EST 2016 

That's the question... Actually we rejected KEYCLOAK-3099, but it's 
possible that problem described below by Tomas is a little bit different 
then the issue in the ticket. AFAIK the ticket was specific just to 
combination of e-directory LDAP with MSSQL database.

IMO It's always good to support more different LDAP servers. But the 
problem is that:
- Supported vendors should be likely tested, but we don't have capacity 
to test and maintain all the LDAP (and DB) vendors in the world
- There is a chance that community PR for supporting new LDAP vendor 
breaks other vendors etc. There is just always some additional 
complexity with each server supported.
- We don't have possibility to re-test the PR by themselves due to the 
LDAP server not available for us.

We tries to focus especially on the most important servers, so if there 
is enough demand from the community and customers for some LDAP vendor, 
we will add it. But it seems that ATM you're the only one with the 
demand for netIQ e-directory.

So if there is possibility to workaround and have the netIQ e-directory 
working by setup of our existing LDAP StorageProvider configuration 
options and mappers (which AFAIK it is), then it is preferred way 
instead of the PR for adding support for it OOTB.

My 2 cents :)

Marek

On 02/12/16 09:24, Sebastien Blanc wrote:
> Hi !
>
> Sure that would be awesome if you can create a pull request and attached it
> to the ticket !
>
> Sebi
>
>
>
> On Thu, Nov 24, 2016 at 1:38 PM, Tomas Tikovsky <tikovsky.tomas at gmail.com>
> wrote:
>
>> Hello everyone,
>>
>> im using e-directory federation ldap provider and came to this bug
>> KEYCLOAK-3099 <https://issues.jboss.org/browse/KEYCLOAK-3099> as i was
>> experiencing the same problem.
>> e-Directory sends guid attribute as byte[] so it needs to be declared as
>> binary the same way as its done for activeDirectory.
>> Sending simple diff to fix this issue if you consider this as helpfull.
>>
>> Novell was acquired by microfocus and their product has been renamed to
>> netIQ eDirectory so i incorporated that change as well.
>>
>> Another thing i noted were 2 incorrect attribute mappings in administration
>> console.
>>
>> "username" -> "uid"
>> correct as long as users are enabled for linux (not default) otherwise cn.
>> So cn should work for more cases than uid.
>>
>> "firstname" -> "cn"
>> wrong, should be "givenname"
>>
>> Cheers
>>
>> Tom
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list