[keycloak-user] Set client roles to registered users automatically once synced from source LDAP/DB
valsaraj pv
valsarajpv at gmail.com
Tue May 22 05:05:33 EDT 2018
I checked configuration in LDAP sample:
>
> {
>
> "name" : "finance roles",
>
> "federationMapperType" : "role-ldap-mapper",
>
> "federationProviderDisplayName" : "ldap-apacheds",
>
> "config" : {
>
> "roles.dn" : "ou=FinanceRoles,dc=keycloak,dc=org",
>
> "membership.ldap.attribute" : "member",
>
> "role.name.ldap.attribute" : "cn",
>
> "role.object.classes" : "groupOfNames",
>
> "mode" : "LDAP_ONLY",
>
> "use.realm.roles.mapping" : "false",
>
> "client.id" : "finance"
>
> }
>
> }
>
>
Here is my config:
> {
"id": "e0e3a3f6-986f-4352-9242-53fead7ec6b2",
"name": "app-groups",
"providerId": "role-ldap-mapper",
"subComponents": {},
"config": {
"mode": [
"IMPORT"
],
"membership.attribute.type": [
"DN"
],
"user.roles.retrieve.strategy": [
"LOAD_ROLES_BY_MEMBER_ATTRIBUTE"
],
"roles.dn": [
"ou=groups,dc=app,dc=com"
],
"membership.user.ldap.attribute": [
"uid"
],
"membership.ldap.attribute": [
"uniqueMember"
],
"role.name.ldap.attribute": [
"cn"
],
"memberof.ldap.attribute": [
"memberOf"
],
"use.realm.roles.mapping": [
"false"
],
"role.object.classes": [
"groupOfUniqueNames, top"
],
"client.id": [
"app"
]
}
}
This OpenLDAP to Keycloak sync roles configured. Please let me know if you
see anything wrong. I can see roles synced but for users, these roles not
associated if they are member of some ldap groups.
Here is a group sample:
cn
- appAdminConsole
objectClass
- groupOfUniqueNames
- top
uniqueMember
- uid=testuser,ou=people,dc=app,dc=com
The group appAdminConsole synced & shown under client roles but when I
open testuser, none of the roles are shown.
On Tue, May 22, 2018 at 1:19 PM, valsaraj pv <valsarajpv at gmail.com> wrote:
> roles from LDAP are available in Keycloak - worked
> they are assigned to users in Keycloak - I checked both realm roles &
> client roles. But not shown when I opened the user in KC admin console.
> I will check LDAP sample.
>
> On Tue, May 22, 2018 at 12:34 PM, Marek Posolda <mposolda at redhat.com>
> wrote:
>
>> That's strange. The role-kdap-mapper should ensure that roles from LDAP
>> are available in Keycloak and also that they are assigned to users in
>> Keycloak. So Keycloak should be able to see the role mappings based on the
>> role mappings in LDAP. It's just a matter of correct configuration. You can
>> take a look at "keycloak-examples" distribution and the example "ldap" to
>> see how to configure things.
>>
>> Marek
>>
>>
>> On 18/05/18 10:11, valsaraj pv wrote:
>>
>>> Yes, 'role-ldap-mapper created & those roles appeared in Keyclock client
>>> set in mapper. But these roles were not assigned to users. For that need
>>> to
>>> open user from admin cosole & select client abd set client roles. I am
>>> checking how to automate this.
>>>
>>> On Fri, May 18, 2018 at 1:34 PM, Raphaël HOAREAU <raphoa at worteks.com>
>>> wrote:
>>>
>>> Can't you just create 'role-ldap-mapper' in your ldap user federation so
>>>> it reflects your ldap roles to keycloak realm or client roles ?
>>>>
>>>> Assuming that roles in your local LDAP are the same (name) than the one
>>>> you use in keycloak.
>>>>
>>>>
>>>> Le 18/05/2018 à 08:32, valsaraj pv a écrit :
>>>>
>>>>> Got this sample:
>>>>> https://gist.github.com/thomasdarimont/c4e739c5a319cf78a4cff
>>>>> 3b87173a84b
>>>>>
>>>>> On Fri, May 18, 2018 at 10:39 AM, Subodh Joshi <
>>>>> subodhcjoshi82 at gmail.com
>>>>>
>>>>> wrote:
>>>>>
>>>>> You have to write script to run admin-cli commands
>>>>>> https://www.keycloak.org/docs/3.3/server_admin/topics/admin-cli.html
>>>>>>
>>>>>> On Fri, May 18, 2018 at 8:50 AM valsaraj pv <valsarajpv at gmail.com>
>>>>>>
>>>>> wrote:
>>>>
>>>>> Do you have any links that will be helpful?
>>>>>>>
>>>>>>> On Fri 18 May, 2018, 7:17 AM Subodh Joshi, <subodhcjoshi82 at gmail.com
>>>>>>> >
>>>>>>> wrote:
>>>>>>>
>>>>>>> I think admin-cli will help you regarding this but issue is
>>>>>>>>
>>>>>>> documetation
>>>>
>>>>> is not that good.
>>>>>>>>
>>>>>>>> On Thu, 17 May 2018, 22:43 valsaraj pv, <valsarajpv at gmail.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> Here is the scenario:
>>>>>>>>> Java web application client registers users to local LDAP/DB and
>>>>>>>>> sets
>>>>>>>>> roles.
>>>>>>>>> These users are periodically synced to Keycloak. Roles are also
>>>>>>>>>
>>>>>>>> synced
>>>>
>>>>> once
>>>>>>>>> as it not changed more often.
>>>>>>>>> So when a user registered in local LDAP via application, they are
>>>>>>>>>
>>>>>>>> also
>>>>
>>>>> reflected in Keycloak but they can't access web application after
>>>>>>>>>
>>>>>>>> login
>>>>
>>>>> via
>>>>>>>>> Keycloak.
>>>>>>>>> The new users can access only after setting client roles manually.
>>>>>>>>> What is the best option to automate this. Is there is any API to
>>>>>>>>> set
>>>>>>>>> client
>>>>>>>>> roles?
>>>>>>>>> If available, we can't write code to set role in registration
>>>>>>>>> method
>>>>>>>>> since
>>>>>>>>> the users will be synced to Keycloak only on next sync. Then option
>>>>>>>>>
>>>>>>>> is a
>>>>
>>>>> delayed call which first ensures that the user reached Keycloak DB
>>>>>>>>>
>>>>>>>> and
>>>>
>>>>> then
>>>>>>>>> set role.
>>>>>>>>> Please share your thoughts!
>>>>>>>>>
>>>>>>>>> Thanks!
>>>>>>>>> _______________________________________________
>>>>>>>>> keycloak-user mailing list
>>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>
>>>>>>>>> --
>>>>>> Subodh Chandra Joshi
>>>>>> subodh1_joshi82 at yahoo.co.in
>>>>>> http://www.trendsinnews.com
>>>>>>
>>>>>>
>>>>> --
>>>> Raphaël HOAREAU | Support & Hosting Solutions Manager
>>>>
>>>> raphael.hoareau at worteks.com
>>>> +33 7 72 37 59 82
>>>>
>>>> Worteks | https://www.worteks.com
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>>
>>>
>>>
>>
>
>
> --
> Life is like this: "Just when we get all the answers of life.... God
> changes the question paper....
>
> Valsaraj Viswanathan
>
--
Life is like this: "Just when we get all the answers of life.... God
changes the question paper....
Valsaraj Viswanathan
More information about the keycloak-user
mailing list