[keycloak-user] LDAP Role Mapping after the "memberOf" style

Marek Posolda mposolda at redhat.com
Thu Nov 5 03:39:21 EST 2015


Hi,


On 04/11/15 19:58, Giovanni Baruzzi wrote:
> Dear all,
>
>
> at the moment using the LDAP Identity federation we can map a role to 
> the membership to a group.
>
> We are using instead of the groupMembership the „menberOf“ approach, 
> dedicating an attribute to list the values of the roles owned by the user.

AFAIK memberOf is just read-only mirror of "member" attribute where 
"member" is writable and it's available on the group (roles) objects 
when memberOf is mirrored on users. At least it works this way on the 
Active Directory and some other LDAP servers too. Or doesn't it work on 
your LDAP server and you are not seeing "member" attribute on groups?

Our RoleLDAPFederationMapper implementation is using "member" attribute 
approach because "member" attribute is writable and it's sufficient to 
achieve to all of CRUD user role mappings operations.

At this moment, the only reason when I can see the advantage of 
"memberOf" is better performance in read-only LDAP servers as you need 
to query just user object to receive both it's attributes and role 
mappings in single step. Is this the reason why you want it or do you 
have other reason?
> How would you suggest the implementation of this requirement?
> Can you imagine a way to implement it using the planned customised filter?
> Should we go for a custom federation provider?
There are 2 steps to achieve it.

1) You can use existing "User attribute" mapper to map "memberOf" 
attribute to some attribute in user model. This way the "memberOf" will 
be queried from LDAP and saved into Keycloak DB as part of the user 
record. You can check in admin console (tab "Attributes" of user) if the 
memberOf was successfully returned

2) Then you may need to implement custom LDAPFederationMapper, which 
will return proxy user object and you override some methods of this 
proxy ( getRoleMappings , hasRole, maybe getRealmRoleMappings and 
getClientRoleMappings) to return the roles based on the "memberOf" 
attribute, which is available on UserModel thanks to previous step. See 
existing RoleLDAPFederationMapper for inspiration.

So you don't need custom federation provider, but just custom federation 
mapper.

I wonder if we should support "memberOf" in Keycloak OOTB. I am curious 
about your reasons to use it in prefer to "member" .

Marek
>
> thank you for your answers,
> Giovanni
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151105/d84c320b/attachment.html 


More information about the keycloak-user mailing list