[keycloak-dev] Support for LDAP referrals

Mitya mitya at cargosoft.ru
Sat Jun 4 11:21:12 EDT 2016 

Marek,
Sorry for delay. Here we go: https://issues.jboss.org/browse/KEYCLOAK-3
083
> LDAP referrals were not yet tested and supported, could you please
> create JIRA for this? 
> 
> Thanks,
> Marek
> 
> On 18/05/16 05:37, Mitya wrote:
> 
> > Hi,
> > 
> > 
> > In replicated LDAP setups, it's a common situation where the slave
> > is read-only, and if a write operation is attempted, it returns a
> > so-called referral (see more here). Simply put, a referral is an
> > instruction to proceed with the same LDAP operation but using
> > different URL, contained within response. In a replicated setup,
> > this URL would point to master instance, which is read-write.
> > 
> > 
> > Currently, KeyCloak cannot use such a slave replica as a federation
> > provider in a WRITABLE edit mode. LDAP entries are imported
> > successfully; but further attempts to modify them in KeyCloak admin
> > console give success message, while the actual values are not
> > modified. If Sync Registrations is on, attempt to create a user
> > results in the following exception:
> > 
> > 
> > javax.naming.PartialResultException: [LDAP: error code 10 -
> > Referral]; remaining name 'uid=foo,ou=People,dc=foobar,dc=com'
> > 	at
> > com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2971)
> > 	at
> > com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888)
> > 	at
> > com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:812)
> > 	at
> > com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(Com
> > ponentDirContext.java:341)
> > 	at
> > com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontex
> > t(PartialCompositeDirContext.java:268)
> > 	at
> > com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontex
> > t(PartialCompositeDirContext.java:256)
> > 	at
> > javax.naming.directory.InitialDirContext.createSubcontext(InitialDi
> > rContext.java:197)
> > 	at
> > javax.naming.directory.InitialDirContext.createSubcontext(InitialDi
> > rContext.java:197)
> > 	at
> > org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$7.
> > execute(LDAPOperationManager.java:434)
> > 	at
> > org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$7.
> > execute(LDAPOperationManager.java:431)
> > 	at
> > org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.ex
> > ecute(LDAPOperationManager.java:536)
> > 	at
> > org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.cr
> > eateSubContext(LDAPOperationManager.java:431)
> > LDAP referrals are fully supported by JNDI and LDAP stack; the only
> > thing we need is to set a Context.REFERRAL ("java.naming.referral")
> > environment property to "follow" before creating an
> > InitialLdapContext. I've noticed that in
> > org.keycloak.federation.ldap.LDAPConfig, there is an initial
> > support for additional connection properties (currently hardcoded
> > to return null). Are there any plans to implement this?
> > 
> > 
> > Cheers,
> > Mitya
> > 
> > 
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160604/ffc8a297/attachment.html

More information about the keycloak-dev mailing list