[keycloak-user] Users (related to LDAP) are gone when I change the username
Marek Posolda
mposolda at redhat.com
Wed Oct 11 02:34:02 EDT 2017
Yes, I was wondering that maybe you will see some error like this. And
+1 to set some other non-changeable attribute as "uid" . I am sure that
it's doable with custom LDAP mapper, which will add the value just
during the registration time, but not update it later. Maybe the best is
to use just the first part of the "initial" email as username. Something
like:
- User registers with john123 at email.com
- Mapper will extract, just the first part of the email, so "john123"
and use it as RDN of LDAP. So user in LDAP will be saved like
"uid=john123,cn=users,dc=example,dc=com"
- When email is changed to "john123-updated at email.cz", the UID will
remain unchanged and will be still "uid=john123,cn=users,dc=example,dc=com"
Maybe timestamp is useful as well, not sure.
Marek
Dne 11.10.2017 v 00:14 Celso Agra napsal(a):
> I configured "mail" as "Username LDAP Attribute" and "uid" as "RDN
> LDAP Attribute" and set some configs on LDAP Mapper.
> but I got an error:
>
> Could not create user: org.keycloak.models.ModelException: RDN
> Attribute [uid] is not filled. Filled attributes: {mail=[], cn=[
> ], sn=[ ], createTimestamp=[], modifyTimestamp=[]}
>
>
> maybe, change username could be a bad practice. Could be better if I
> set a special number on username, such as timestamp. This could solve
> my issue
>
> Thanks Marek
>
> 2017-10-10 9:08 GMT-03:00 Marek Posolda <mposolda at redhat.com
> <mailto:mposolda at redhat.com>>:
>
> Thanks.
>
> I see it probably doesn't work as you have email as username and
> "uid" is used as both username attribute and RDN attribute. When
> you're changing email of user in Keycloak, it is trying to change
> "uid" in LDAP, but that's not allowed.
>
> I can imagine that things might work if you configure "mail" as
> "Username LDAP Attribute" and "uid" as "RDN LDAP Attribute", but
> you probably need to do some tricks with mappers and maybe
> implement your own LDAP mapper. If you don't manage to have this
> working, feel free to create JIRA.
>
> Marek
>
>
>
> On 09/10/17 18:54, Celso Agra wrote:
>> Thanks for your answer, Marek!
>>
>> Here is some of my configs. In addition, I put the same values to
>> username and e-mail.
>>
>> Here is my User Representation:
>>
>> UserRepresentation user = new UserRepresentation();
>> user.setUsername(email);
>> user.setFirstName(firstName;
>> user.setLastName(lastName);
>> user.setEnabled(true);
>> user.setEmail(email);
>>
>>
>> Best regards,
>>
>> Celso Agra
>>
>>
>> 2017-10-09 10:37 GMT-03:00 Marek Posolda <mposolda at redhat.com
>> <mailto:mposolda at redhat.com>>:
>>
>> We didn't try to test this use-case though. But it may work
>> as long as things are configured correctly. Maybe I would
>> re-create the LDAP provider with the "Username LDAP
>> attribute" be set to "mail", but the "RDN LDAP Attribute" to
>> "uid" . Is this the configuration you're using?
>>
>> If things still doesn't work, you can possibly create JIRA .
>> Ideally with the details of the configuration of your LDAP
>> provider, realm (whether 'username as email' is enabled etc)
>> and how LDAP users looks like and how you expect them to look
>> like after.
>>
>> Regards,
>> Marek
>>
>>
>> On 04/10/17 15:45, Celso Agra wrote:
>>
>> Hi all,
>>
>> I'm getting a strange behavior.
>>
>> My LDAP (openldap) is configured as writable in my User
>> Federation. So, I
>> can create user from my Keycloak, but when I change the
>> username, the user
>> disappear from my user's list.
>>
>> I check the LDAP and the user still there, with the 'old'
>> username. So, is
>> there some way to change the username without disappear
>> from the keycloak
>> user's list?
>>
>> This occurs because in my case, username as the same of
>> email. So, If the
>> user changes email, I have to change the username also.
>>
>> I'm using version 3.0.0.Final
>>
>>
>> Best regards
>>
>>
>>
>>
>>
>>
>> --
>> ---
>> *Celso Agra*
>
>
>
>
>
> --
> ---
> *Celso Agra*
More information about the keycloak-user
mailing list