[keycloak-user] LDAP Role Mapper big groups issue (role-ldap-mapper)

Thu Sep 28 10:58:29 EDT 2017

Hi!

Thanks for your reply, it really helped much. In fact my group entry has
thousands of member entries - in my case that are 'uniquemember' entries.

So I've took a look at other strategy:
https://github.com/keycloak/keycloak/blob/cb57dbf58ae5ea07ac3a6348e77ab2db972bad7b/federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/membership/UserRolesRetrieveStrategy.java#L85

Following this, I took a look at 'keycloak/models/LDAPConstants.java':
https://github.com/keycloak/keycloak/blob/227900f2888774ba6c9e356f4e5f254f2c0bdc98/server-spi-private/src/main/java/org/keycloak/models/LDAPConstants.java

So actually in LDAPConstants.java there is MEMBER_OF defined:
https://github.com/keycloak/keycloak/blob/227900f2888774ba6c9e356f4e5f254f2c0bdc98/server-spi-private/src/main/java/org/keycloak/models/LDAPConstants.java#L89

As I can see some of there parameters are adjustable via WebGUI per User
Federation -> LDAP based Provider settings, while some other are not.
"MEMBER_OF" seems not be in WebGUI.

In my case LDAP is configured to return inside user entry, his/her groups
but not in 'memberOf' attribute (as it defaults in mentioned Java file) but
in 'someWeirdMembershipAttribute'. I'm not able to change LDAP behavior in
that field.

So my next 2 questions would be:

1) am I able to adjust 'MEMBER_OF' variable per my specific LDAP federation
provider - I'm actually sending JSON containing provider definition, so I'd
only need confirmation that I could do this;

2) in case my LDAP is not returning 'memberOf' parameter per any user,
would change a value of 'MEMBER_OF' from 'memberOf' to
'someWeirdMembershipAttribute' affect this federated source of user in any
other way that I'm willing it too?

Thanks;
AdamLis;

2017-09-28 9:38 GMT+02:00 Marek Posolda <mposolda at redhat.com>:

> Currently just the "dn" is retrieved and the membership attribute
> (typically "member"). I guess your roles are big because they have
> thousands of "member" items on them, is it correct?
>
> Few tips:
> - Maybe if you have possibility to configure "User Roles Retrieve
> Strategy" to be "MEMBER_OF" ? This will work if your LDAP server supports
> it and if it tracks role memberships on "memberOf" attribute of user. If it
> works, you can maybe configure "Membership attribute" to some non-existing
> value (eg. "foo"), which mean that roles from LDAP will be retrieved really
> just with the DN attribute.
>
> - It's also possible to create your own version of mapper and enhance some
> functionality. You may need to override RoleLDAPStorageMapperFactory and
> RoleLDAPStorageMapper and override some methods like for example
> "createRoleQuery()" . See our server-development guide for tips how to
> create and deploy your own providers.
>
> - Create JIRA if none of the above won't work for you. But not sure when
> we manage to look into it though...
>
> Marek
>
> On 27/09/17 19:16, Adam Lis wrote:
>
> Hi!
>
> I've role-ldap-mapper defined for my LDAP federation.
>
> I can see on user logon, KeyCloak is issuing LDAP search with filter build
> on role-ldap-mapper conditions.
>
> KeyCloak is requesting whole resource from LDAP - in my case groups are
> quite big.
>
> If I understand correctly, only 'dn' attribute could be requested, since
> query is being done anyway for each user on his logon.
>
> In my case current approach results in waiting for LDAP response for over
> 20 seconds. In case only "dn" attribute for group would be requested, LDAP
> response time is very short.
>
> Is there a way to instruct role-ldap-mapper to retrieve only 'dn'
> attribute, and assing a requesting user all groups based only by retrieved
> 'dn' attributes?
>
> AdamLis;
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>