[keycloak-user] LDAP Role Mapper big groups issue (role-ldap-mapper)

Marek Posolda mposolda at redhat.com
Fri Sep 29 09:16:08 EDT 2017 

Yes, you're right. Until now, there wasn't a use-case to use different 
attribute name then MEMBER_OF . Unfortunately we don't support Tivoli 
and don't test with it. So this will require to add new config parameter 
to group/role mapper though. Feel free to send PR if you want to 
contribute it.

There is also possibility that you override Group/Role mapper and add 
the new strategy, which will be same like builtin 
GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE, but will use your attribute 
instead of MEMBER_OF.

Marek

On 28/09/17 16:58, Adam Lis wrote:
> Hi!
>
> Thanks for your reply, it really helped much. In fact my group entry has
> thousands of member entries - in my case that are 'uniquemember' entries.
>
> So I've took a look at other strategy:
> https://github.com/keycloak/keycloak/blob/cb57dbf58ae5ea07ac3a6348e77ab2db972bad7b/federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/membership/UserRolesRetrieveStrategy.java#L85
>
> Following this, I took a look at 'keycloak/models/LDAPConstants.java':
> https://github.com/keycloak/keycloak/blob/227900f2888774ba6c9e356f4e5f254f2c0bdc98/server-spi-private/src/main/java/org/keycloak/models/LDAPConstants.java
>
> So actually in LDAPConstants.java there is MEMBER_OF defined:
> https://github.com/keycloak/keycloak/blob/227900f2888774ba6c9e356f4e5f254f2c0bdc98/server-spi-private/src/main/java/org/keycloak/models/LDAPConstants.java#L89
>
> As I can see some of there parameters are adjustable via WebGUI per User
> Federation -> LDAP based Provider settings, while some other are not.
> "MEMBER_OF" seems not be in WebGUI.
>
> In my case LDAP is configured to return inside user entry, his/her groups
> but not in 'memberOf' attribute (as it defaults in mentioned Java file) but
> in 'someWeirdMembershipAttribute'. I'm not able to change LDAP behavior in
> that field.
>
> So my next 2 questions would be:
>
> 1) am I able to adjust 'MEMBER_OF' variable per my specific LDAP federation
> provider - I'm actually sending JSON containing provider definition, so I'd
> only need confirmation that I could do this;
>
> 2) in case my LDAP is not returning 'memberOf' parameter per any user,
> would change a value of 'MEMBER_OF' from 'memberOf' to
> 'someWeirdMembershipAttribute' affect this federated source of user in any
> other way that I'm willing it too?
>
> Thanks;
> AdamLis;
>
> 2017-09-28 9:38 GMT+02:00 Marek Posolda <mposolda at redhat.com>:
>
>> Currently just the "dn" is retrieved and the membership attribute
>> (typically "member"). I guess your roles are big because they have
>> thousands of "member" items on them, is it correct?
>>
>> Few tips:
>> - Maybe if you have possibility to configure "User Roles Retrieve
>> Strategy" to be "MEMBER_OF" ? This will work if your LDAP server supports
>> it and if it tracks role memberships on "memberOf" attribute of user. If it
>> works, you can maybe configure "Membership attribute" to some non-existing
>> value (eg. "foo"), which mean that roles from LDAP will be retrieved really
>> just with the DN attribute.
>>
>> - It's also possible to create your own version of mapper and enhance some
>> functionality. You may need to override RoleLDAPStorageMapperFactory and
>> RoleLDAPStorageMapper and override some methods like for example
>> "createRoleQuery()" . See our server-development guide for tips how to
>> create and deploy your own providers.
>>
>> - Create JIRA if none of the above won't work for you. But not sure when
>> we manage to look into it though...
>>
>> Marek
>>
>> On 27/09/17 19:16, Adam Lis wrote:
>>
>> Hi!
>>
>> I've role-ldap-mapper defined for my LDAP federation.
>>
>> I can see on user logon, KeyCloak is issuing LDAP search with filter build
>> on role-ldap-mapper conditions.
>>
>> KeyCloak is requesting whole resource from LDAP - in my case groups are
>> quite big.
>>
>> If I understand correctly, only 'dn' attribute could be requested, since
>> query is being done anyway for each user on his logon.
>>
>> In my case current approach results in waiting for LDAP response for over
>> 20 seconds. In case only "dn" attribute for group would be requested, LDAP
>> response time is very short.
>>
>> Is there a way to instruct role-ldap-mapper to retrieve only 'dn'
>> attribute, and assing a requesting user all groups based only by retrieved
>> 'dn' attributes?
>>
>> AdamLis;
>> _______________________________________________
>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list