[keycloak-user] Issue with LDAP federation import

harish jadhav harishjadhav1979 at yahoo.com
Mon Feb 13 08:15:30 EST 2017 

Thank you all of you for guiding me to solve the problem. I can now think on suggested approaches and come up with solution, different realm tagging to same KC client should be an acceptable solution.

Thank you very much !
Harish


    On Monday, February 13, 2017 6:33 PM, Kevin Berendsen <kevin.berendsen at pharmapartners.nl> wrote:
 

 Hi Harish

There's a workaround and it's a little tricky and might need some more effort. 

Our LDAP structure is a little vague and different from what it should be but that choice was made a long time. However, our workaround could be applied to your issue as well. Pick an attribute of your LDAP object that is absolutely unique to any object like the username should be but then another object.

For example:
Pick attribute veryUniqueAttr instead of uid as username.

Then develop your own authenticator:
* Queries for users based on the actual username and might return multiple users;
* Iterate through the users and check if the password matches the input;
* If the password matches, then set the context to success and set the last iterated user as user into the session.
* If none matches, then login failed.

It's simple and affective but I don't like the sound of it. I highly recommend you creating TWO realms instead. Google for 'Keycloak multi-tenant' and you'd find an easy way to use the same Keycloak Client with two realms and I think that may solve your problem. 

-----Oorspronkelijk bericht-----
Van: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] Namens harish jadhav
Verzonden: maandag 13 februari 2017 13:24
Aan: keycloak-user at lists.jboss.org; Bill Burke <bburke at redhat.com>
Onderwerp: Re: [keycloak-user] Issue with LDAP federation import

Team,
Can some one help on this please?
ThanksHarish
 

    On Friday, February 10, 2017 9:47 PM, harish jadhav <harishjadhav1979 at yahoo.com> wrote:
 

 Hi Team,

Thanks for immediate response. As both users are different persons and reside in different domain with different email id, I was expecting it to treat as different user and in fact objectguid will be different for both users. And as both users belong to same organisation, I can't use different realm also.

Is there any workaround available for this?

Thanks
Harish


--------------------------------------------
On Fri, 2/10/17, Bill Burke <bburke at redhat.com> wrote:

 Subject: Re: [keycloak-user] Issue with LDAP federation import
 To: keycloak-user at lists.jboss.org
 Date: Friday, February 10, 2017, 8:27 PM
 
 You can't have 2
 users with same username.  The sync is pulling users  from 2nd federation provider, sees that its  already been imported (by  1st Federation
 sync) and fails to import that user.
 
 
 On 2/10/17 9:32 AM, harish jadhav wrote:
 > Hello Keycloak Team,
 >
 I am new to keycloak and trying to integrate with my
 application. Just to do some kind of analysis, I have
 started with LDAP import. I have two LDAP servers having
 different domains say tkd.com and teckno.com respectively (
 running at 172.16.11.100 and 172.16.12.100 respectively) and
 I am able to import the users from both the directories. I
 have created two LDAP federation in single realm.
 >
 >   However
 one issue which I am facing is I am unable to import one
 particular user by second federation - I have one user
 having name ronny at tkd.com
 with username Ronny in 172.16.11.100 and ronny at teckno.com
 with same username Ronny in 172.16.12.100. The error I am
 getting is
 >
 > User
 'Ronny' is not updated during sync as he already
 exists in Keycloak database but is not linked to federation
 provider '1081bf4c-b54d-44db-b172-b229ae6aad4e'
 > Can you please help on how to sync both
 users as technically both users are different having
 different email ids and domains.
 > Thanks
 in advance.
 > ThanksHarish
 >
 _______________________________________________
 > keycloak-user mailing list
 > keycloak-user at lists.jboss.org
 > https://lists.jboss.org/mailman/listinfo/keycloak-user
 
 _______________________________________________
 keycloak-user mailing list
 keycloak-user at lists.jboss.org
 https://lists.jboss.org/mailman/listinfo/keycloak-user
 

  
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list