<html><head>
<meta content="text/html; charset=windows-1252" http-equiv="Content-Type">
</head>
<body><div>Marek,</div><div><br></div><div>Sorry for delay. Here we go: <a href="https://issues.jboss.org/browse/KEYCLOAK-3083">https://issues.jboss.org/browse/KEYCLOAK-3083</a></div><div><br></div><blockquote type="cite">
<div class="moz-cite-prefix">LDAP referrals were not yet tested and
supported, could you please create JIRA for this? <br>
<br>
Thanks,<br>
Marek<br>
<br>
On 18/05/16 05:37, Mitya wrote:<br>
</div>
<blockquote cite="mid:1463542629.13752.20.camel@cargosoft.ru" type="cite">
<div>Hi,</div>
<div><br>
</div>
<div>In replicated LDAP setups, it's a common situation where the
slave is read-only, and if a write operation is attempted, it
returns a so-called referral (see more <a moz-do-not-send="true" href="http://docs.oracle.com/javase/jndi/tutorial/ldap/referral/jndi.html">here</a>).
Simply put, a referral is an instruction to proceed with the
same LDAP operation but using different URL, contained within
response. In a replicated setup, this URL would point to master
instance, which is read-write.</div>
<div><br>
</div>
<div>Currently, KeyCloak cannot use such a slave replica as a
federation provider in a WRITABLE edit mode. LDAP entries are
imported successfully; but further attempts to modify them in
KeyCloak admin console give success message, while the actual
values are not modified. If Sync Registrations is on, attempt to
create a user results in the following exception:</div>
<div><br>
</div>
<pre>javax.naming.PartialResultException: [LDAP: error code 10 - Referral]; remaining name 'uid=foo,ou=People,dc=foobar,dc=com'</pre>
<pre><span class="Apple-tab-span"> </span>at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2971)</pre>
<pre><span class="Apple-tab-span"> </span>at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888)</pre>
<pre><span class="Apple-tab-span"> </span>at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:812)</pre>
<pre><span class="Apple-tab-span"> </span>at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:341)</pre>
<pre><span class="Apple-tab-span"> </span>at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:268)</pre>
<pre><span class="Apple-tab-span"> </span>at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:256)</pre>
<pre><span class="Apple-tab-span"> </span>at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:197)</pre>
<pre><span class="Apple-tab-span"> </span>at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:197)</pre>
<pre><span class="Apple-tab-span"> </span>at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$7.execute(LDAPOperationManager.java:434)</pre>
<pre><span class="Apple-tab-span"> </span>at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$7.execute(LDAPOperationManager.java:431)</pre>
<pre><span class="Apple-tab-span"> </span>at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:536)</pre>
<pre><span class="Apple-tab-span"> </span>at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.createSubContext(LDAPOperationManager.java:431)</pre>
<pre></pre>
<div>LDAP referrals are fully supported by JNDI and LDAP stack;
the only thing we need is to set a Context.REFERRAL
("java.naming.referral") environment property to "follow" before
creating an InitialLdapContext. I've noticed that in
org.keycloak.federation.ldap.LDAPConfig, there is an initial
support for additional connection properties (currently
hardcoded to return null). Are there any plans to implement
this?</div>
<div><br>
</div>
<div>Cheers,</div>
<div>Mitya</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-dev mailing list
<a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>
</blockquote>
<br>
</blockquote></body></html>