[keycloak-user] Users (related to LDAP) are gone when I change the username

Wed Oct 11 21:01:15 EDT 2017

There's a different kind of emails on my project, such as John at company01.br,
and also another John from another company, such as John at company02.br.

So... I solve that, using System.currentTimeMilis(); as username. This
could be unique and non-changeable.

Thanks again Marek!

Best Regards,

Celso Agra

Em qua, 11 de out de 2017 às 03:34, Marek Posolda <mposolda at redhat.com>
escreveu:

> Yes, I was wondering that maybe you will see some error like this. And +1
> to set some other non-changeable attribute as "uid" . I am sure that it's
> doable with custom LDAP mapper, which will add the value just during the
> registration time, but not update it later. Maybe the best is to use just
> the first part of the "initial" email as username. Something like:
>
> - User registers with john123 at email.com
> - Mapper will extract, just the first part of the email, so "john123" and
> use it as RDN of LDAP. So user in LDAP will be saved like
> "uid=john123,cn=users,dc=example,dc=com"
> - When email is changed to "john123-updated at email.cz"
> <john123-updated at email.cz>, the UID will remain unchanged and will be
> still "uid=john123,cn=users,dc=example,dc=com"
>
> Maybe timestamp is useful as well, not sure.
>
> Marek
>
> Dne 11.10.2017 v 00:14 Celso Agra napsal(a):
>
> I configured "mail" as "Username LDAP Attribute" and "uid" as "RDN LDAP
> Attribute" and set some configs on LDAP Mapper.
> but I got an error:
>
> Could not create user: org.keycloak.models.ModelException: RDN Attribute
> [uid] is not filled. Filled attributes: {mail=[], cn=[ ], sn=[ ],
> createTimestamp=[], modifyTimestamp=[]}
>
>
> maybe, change username could be a bad practice. Could be better if I set a
> special number on username, such as timestamp. This could solve my issue
>
> Thanks Marek
>
> 2017-10-10 9:08 GMT-03:00 Marek Posolda <mposolda at redhat.com>:
>
>> Thanks.
>>
>> I see it probably doesn't work as you have email as username and "uid" is
>> used as both username attribute and RDN attribute. When you're changing
>> email of user in Keycloak, it is trying to change "uid" in LDAP, but that's
>> not allowed.
>>
>> I can imagine that things might work if you configure "mail" as "Username
>> LDAP Attribute" and "uid" as "RDN LDAP Attribute", but you probably need to
>> do some tricks with mappers and maybe implement your own LDAP mapper. If
>> you don't manage to have this working, feel free to create JIRA.
>>
>> Marek
>>
>>
>>
>> On 09/10/17 18:54, Celso Agra wrote:
>>
>> Thanks for your answer, Marek!
>>
>> Here is some of my configs. In addition, I put the same values to
>> username and e-mail.
>>
>> Here is my User Representation:
>>
>>> UserRepresentation user = new UserRepresentation();
>>> user.setUsername(email);
>>> user.setFirstName(firstName;
>>> user.setLastName(lastName);
>>> user.setEnabled(true);
>>> user.setEmail(email);
>>
>>
>> Best regards,
>>
>> Celso Agra
>>
>>
>> 2017-10-09 10:37 GMT-03:00 Marek Posolda <mposolda at redhat.com>:
>>
>>> We didn't try to test this use-case though. But it may work as long as
>>> things are configured correctly. Maybe I would re-create the LDAP provider
>>> with the "Username LDAP attribute" be set to "mail", but the "RDN LDAP
>>> Attribute" to "uid" . Is this the configuration you're using?
>>>
>>> If things still doesn't work, you can possibly create JIRA . Ideally
>>> with the details of the configuration of your LDAP provider, realm (whether
>>> 'username as email' is enabled etc) and how LDAP users looks like and how
>>> you expect them to look like after.
>>>
>>> Regards,
>>> Marek
>>>
>>>
>>> On 04/10/17 15:45, Celso Agra wrote:
>>>
>>>> Hi all,
>>>>
>>>> I'm getting a strange behavior.
>>>>
>>>> My LDAP (openldap) is configured as writable in my User Federation. So,
>>>> I
>>>> can create user from my Keycloak, but when I change the username, the
>>>> user
>>>> disappear from my user's list.
>>>>
>>>> I check the LDAP and the user still there, with the 'old' username. So,
>>>> is
>>>> there some way to change the username without disappear from the
>>>> keycloak
>>>> user's list?
>>>>
>>>> This occurs because in my case, username as the same of email. So, If
>>>> the
>>>> user changes email, I have to change the username also.
>>>>
>>>> I'm using version 3.0.0.Final
>>>>
>>>>
>>>> Best regards
>>>>
>>>
>>>
>>>
>>
>>
>> --
>> ---
>> *Celso Agra*
>>
>>
>>
>
>
> --
> ---
> *Celso Agra*
>
>
>