[keycloak-user] How to retrieve Organiational Unit from LDAP?
Marek Posolda
mposolda at redhat.com
Mon Apr 3 03:24:29 EDT 2017
Hi,
it looks that new option "Read from base DN" is not needed as LDAP
vendors usually has attribute with DN available on the LDAP object. For
MSAD it is "distinguishedName" attribute, for some others like OpenLDAP
it is "entryDN" . So you can just configure OOTB UserAttribute mapper
with this attribute mapped?
TBH this usecase seems to be quite specific for your needs, so not sure
if it's good to have this OOTB as every feature and new option adds some
complexity. Idea is that people can use OOTB mappers for the more common
functionalities and create their own mapper if they need something
advanced and domain specific. And this looks to me like the second case
TBH. At least never saw anyone else asking for this.
Marek
On 31/03/17 12:35, Celso Agra wrote:
> I was thinking to create a PR for class UserAttributeLDAPStorageMapper
> =. would be possible to do that?
> I created a fork for that -->
> https://github.com/keycloak/keycloak/compare/3.0.x...celsoagra:master
>
> and here i the attached file with an idea (just a simple idea!! ).
>
> 2017-03-31 3:44 GMT-03:00 Marek Posolda <mposolda at redhat.com
> <mailto:mposolda at redhat.com>>:
>
> Yes, I would likely create subclass of this one and override some
> method, so the attribute value is just your ou and not full DN.
> Just a note that LDAP Mapper SPI is unsupported and some method
> signatures can change in the future etc.
>
> Marek
>
>
> On 31/03/17 02:44, Celso Agra wrote:
>> Maybe this class could help me to create a new Mapper:
>>
>> https://github.com/keycloak/keycloak/blob/94afba91a0d3f51021e036796c536747cc33796e/federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/UserAttributeLDAPStorageMapper.java
>> <https://github.com/keycloak/keycloak/blob/94afba91a0d3f51021e036796c536747cc33796e/federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/UserAttributeLDAPStorageMapper.java>
>>
>> 2017-03-30 21:31 GMT-03:00 Celso Agra <celso.agra at gmail.com
>> <mailto:celso.agra at gmail.com>>:
>>
>> Thanks Marek! For now, I'm using the (a) option!
>>
>> But I think would be possible to implement an LDAP Mapper in
>> the future. just to get the "ou" info.
>> I'll take a look in the code and try to add a new Mapper Type.
>>
>> Thanks again! This is a really great tool!
>>
>> 2017-03-30 16:33 GMT-03:00 Marek Posolda <mposolda at redhat.com
>> <mailto:mposolda at redhat.com>>:
>>
>> There is no built-in support for this. However you can
>> achieve it by doing any of:
>>
>> a) Map the LDAP_ENTRY_DN as attribute in your token and
>> then have some logic in your application (or whenever it
>> is needed) that will just parse name of the OU from the
>> full DN.
>> b) Create the custom LDAP mapper, which will do the
>> above. Then it will be available in user attributes
>> c) Create protocol mapper, which will do the above. User
>> attribute will still contain just LDAP_ENTRY_DN, but you
>> will have claim in the token with the value of your OU.
>>
>> I would personally go with (a) and handle it in your app
>> if possible. That's the easiest path IMO.
>>
>> Marek
>>
>>
>> On 30/03/17 20:20, Celso Agra wrote:
>>
>> Hi all,
>>
>> I'd like to retrieve the organizational unit (ou)
>> from LDAP Mapper and set
>> this in the User Attributes.
>>
>> When I get a user from LDAP, it set an attribute
>> called LDAP_ENTRY_DN, with
>> value : "uid=xxxxxx,ou=group,dc=dom3,dc=dom2,dc=dom1"
>>
>> So, I'd like to retrieve just the ou info "group",
>> and set this to the user
>> attribute.
>> Would be possible to do that? Is there some mapper
>> type just to retrieve
>> this information?
>>
>> Best Regards,
>>
>>
>>
>>
>>
>> --
>> ---
>> *Celso Agra*
>>
>>
>>
>>
>> --
>> ---
>> *Celso Agra*
>
>
>
>
>
> --
> ---
> *Celso Agra*
More information about the keycloak-user
mailing list