[keycloak-user] E-mail as username with LDAP federation
Marek Posolda
mposolda at redhat.com
Mon Jun 5 15:19:36 EDT 2017
On 05/06/17 10:06, Plank Martin wrote:
> Hello,
>
> I have a realm with this configuration:
>
> - User registration allowed, E-mail as username enabled
>
> - LDAP user federation with Kerberos enabled, sAMAccountName attribute mapped to username, mail attribute mapped to user's e-mail
>
> The problem is that when user updates his profile through account form, username is rewritten and the value of e-mail address is set to the username attribute.
> User is then invalidated and deleted, because the usernames in Keycloak and LDAP do not match.
>
> Is my realm configuration supposed to work correctly? Or I must have mail attribute from LDAP mapped to both username and e-mail in Keycloak to keep it consistent?
Yes, if you want to use "Email as username", you should likely map both
username and email to LDAP "mail" attribute. Otherwise you will face
inconsistencies like this.
Marek
>
> Thanks
> Martin
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list