[keycloak-dev] Suggestion and fix for e-Directory federation provider
mposolda at redhat.com
Fri Dec 2 04:07:37 EST 2016
On 02/12/16 10:04, Marek Posolda wrote:
> That's the question... Actually we rejected KEYCLOAK-3099, but it's
> possible that problem described below by Tomas is a little bit different
> then the issue in the ticket. AFAIK the ticket was specific just to
> combination of e-directory LDAP with MSSQL database.
Sorry, small update. We didn't rejected the ticket, but it should be
fixed automatically with fixing some other task (work in progress by
Hynek). So the MSSQL issue KEYCLOAK-3099 should just work fine in new
version - hopefully :)
> IMO It's always good to support more different LDAP servers. But the
> problem is that:
> - Supported vendors should be likely tested, but we don't have capacity
> to test and maintain all the LDAP (and DB) vendors in the world
> - There is a chance that community PR for supporting new LDAP vendor
> breaks other vendors etc. There is just always some additional
> complexity with each server supported.
> - We don't have possibility to re-test the PR by themselves due to the
> LDAP server not available for us.
> We tries to focus especially on the most important servers, so if there
> is enough demand from the community and customers for some LDAP vendor,
> we will add it. But it seems that ATM you're the only one with the
> demand for netIQ e-directory.
> So if there is possibility to workaround and have the netIQ e-directory
> working by setup of our existing LDAP StorageProvider configuration
> options and mappers (which AFAIK it is), then it is preferred way
> instead of the PR for adding support for it OOTB.
> My 2 cents :)
> On 02/12/16 09:24, Sebastien Blanc wrote:
>> Hi !
>> Sure that would be awesome if you can create a pull request and attached it
>> to the ticket !
>> On Thu, Nov 24, 2016 at 1:38 PM, Tomas Tikovsky <tikovsky.tomas at gmail.com>
>>> Hello everyone,
>>> im using e-directory federation ldap provider and came to this bug
>>> KEYCLOAK-3099 <https://issues.jboss.org/browse/KEYCLOAK-3099> as i was
>>> experiencing the same problem.
>>> e-Directory sends guid attribute as byte so it needs to be declared as
>>> binary the same way as its done for activeDirectory.
>>> Sending simple diff to fix this issue if you consider this as helpfull.
>>> Novell was acquired by microfocus and their product has been renamed to
>>> netIQ eDirectory so i incorporated that change as well.
>>> Another thing i noted were 2 incorrect attribute mappings in administration
>>> "username" -> "uid"
>>> correct as long as users are enabled for linux (not default) otherwise cn.
>>> So cn should work for more cases than uid.
>>> "firstname" -> "cn"
>>> wrong, should be "givenname"
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
More information about the keycloak-dev