[keycloak-dev] Suggestion and fix for e-Directory federation provider

Tomas Tikovsky tikovsky.tomas at gmail.com
Fri Dec 2 07:35:10 EST 2016 

I think that the problem mentioned in Keycloak-3099 is not caused by
utf8 as its more related

to this function interpretting UUID attribute as string in case of
anything else than activeDirectory.

eDirectory guid attribute is of byte[] type so reading byte[] as
string results in that garbish found in LDAP_ID field in DB.


/federation/ldap/src/main/java/org/keycloak/storage/ldap/idm/store/ldap/LDAPOperationManager.java

public String decodeEntryUUID(final Object entryUUID) {
         String id;

-        if (this.config.isActiveDirectory() && entryUUID instanceof byte[]) {
+        if (entryUUID instanceof byte[]) {
             id = LDAPUtil.decodeObjectGUID((byte[]) entryUUID);
         } else {
            id = entryUUID.toString();
         }

Guid attribute needs to be declared as binary to be correctly returned
from server.

+
+        if (config.isEDirectory()){
+            env.put("java.naming.ldap.attributes.binary",
LDAPConstants.EDIR_GUID);
+        }
+

I posted full diff as attachment in my first post, but didnt realize
it will be discarded. I can make a pull request but i wanted to
consult it first here.

Cheers

Tom


2016-12-02 10:07 GMT+01:00 Marek Posolda <mposolda at redhat.com>:

> On 02/12/16 10:04, Marek Posolda wrote:
>
>> That's the question... Actually we rejected KEYCLOAK-3099, but it's
>> possible that problem described below by Tomas is a little bit different
>> then the issue in the ticket. AFAIK the ticket was specific just to
>> combination of e-directory LDAP with MSSQL database.
>>
> Sorry, small update. We didn't rejected the ticket, but it should be fixed
> automatically with fixing some other task (work in progress by Hynek). So
> the MSSQL issue KEYCLOAK-3099 should just work fine in new version -
> hopefully :)
>
> Marek
>
>
>> IMO It's always good to support more different LDAP servers. But the
>> problem is that:
>> - Supported vendors should be likely tested, but we don't have capacity
>> to test and maintain all the LDAP (and DB) vendors in the world
>> - There is a chance that community PR for supporting new LDAP vendor
>> breaks other vendors etc. There is just always some additional
>> complexity with each server supported.
>> - We don't have possibility to re-test the PR by themselves due to the
>> LDAP server not available for us.
>>
>> We tries to focus especially on the most important servers, so if there
>> is enough demand from the community and customers for some LDAP vendor,
>> we will add it. But it seems that ATM you're the only one with the
>> demand for netIQ e-directory.
>>
>> So if there is possibility to workaround and have the netIQ e-directory
>> working by setup of our existing LDAP StorageProvider configuration
>> options and mappers (which AFAIK it is), then it is preferred way
>> instead of the PR for adding support for it OOTB.
>>
>> My 2 cents :)
>>
>> Marek
>>
>> On 02/12/16 09:24, Sebastien Blanc wrote:
>>
>>> Hi !
>>>
>>> Sure that would be awesome if you can create a pull request and attached
>>> it
>>> to the ticket !
>>>
>>> Sebi
>>>
>>>
>>>
>>> On Thu, Nov 24, 2016 at 1:38 PM, Tomas Tikovsky <
>>> tikovsky.tomas at gmail.com>
>>> wrote:
>>>
>>> Hello everyone,
>>>>
>>>> im using e-directory federation ldap provider and came to this bug
>>>> KEYCLOAK-3099 <https://issues.jboss.org/browse/KEYCLOAK-3099> as i was
>>>> experiencing the same problem.
>>>> e-Directory sends guid attribute as byte[] so it needs to be declared as
>>>> binary the same way as its done for activeDirectory.
>>>> Sending simple diff to fix this issue if you consider this as helpfull.
>>>>
>>>> Novell was acquired by microfocus and their product has been renamed to
>>>> netIQ eDirectory so i incorporated that change as well.
>>>>
>>>> Another thing i noted were 2 incorrect attribute mappings in
>>>> administration
>>>> console.
>>>>
>>>> "username" -> "uid"
>>>> correct as long as users are enabled for linux (not default) otherwise
>>>> cn.
>>>> So cn should work for more cases than uid.
>>>>
>>>> "firstname" -> "cn"
>>>> wrong, should be "givenname"
>>>>
>>>> Cheers
>>>>
>>>> Tom
>>>>
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>
>>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
>
>

More information about the keycloak-dev mailing list