[keycloak-user] Multiple LDAP Providers

Marek Posolda mposolda at redhat.com
Mon Jul 24 03:14:16 EDT 2017 

I am not sure if this approach works. UserStorageManager.addUser sorts 
UserRegistrationProvider by priority and it registers to the first one, 
which returns not null. But LDAPStorageProvider doesn't have anything to 
specify that users without "social" attribute will be ignored (null will 
be returnws) to ensure the fallback to second provider. It may work 
though if you create subclass of LDAPStorageProvider and implement this 
particular part by yourself.

Marek

Dne 21.7.2017 v 17:06 Dmitry Repchevsky napsal(a):
> Hello Marek,
>
> Thank you for the prompt answer.
>
> My current idea is to make first LDAP expect a "social" attribute 
> which I hardcode for "google" provider.
> Other users (registered via cli or rest) will fail on it and move to 
> the second LDAP which is for the local users.
>
> Dmitry
>
> On 7/21/2017 4:42 PM, Marek Posolda wrote:
>> On 21/07/17 13:48, Dmitry Repchevsky wrote:
>>> Hello,
>>>
>>> Is there any way to define different user profiles to be stored in 
>>> LDAP?
>>> I would like to distinguish between local users and users that come 
>>> from
>>> Google.
>>> The user groups should be different (with different attributes). For
>>> instance local users have "homeDirectory" and "google" ones are treated
>>> as "guests".
>>>
>>> If I define two LDAP "WRITABLE" providers the attempt to write the new
>>> user to LDAP is done by priority order, right?
>> Yes, right. It all depends on priority right now.
>>
>> We have opened JIRA for the case when you want to add social users 
>> locally or to specified user Storage provider (not the default one 
>> with biggest priority). It's not yet available OOTB. However you can 
>> achieve something if you define firstBrokerLogin flow and replace 
>> IdpCreateUserIfUniqueAuthenticator with something else, which will 
>> register user either locally or to different LDAP provider that the 
>> one with biggest priority. But you would need to code that.
>>
>> Marek
>>> I mean if I define a mandatory "homeDirectory" attribute and "google"
>>> user has no this attribute, the user is stored in the second provider?
>>>
>>> Thank you in advance,
>>>
>>> Dmitry
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>

More information about the keycloak-user mailing list