<div dir="ltr">Hi,<br><br>Thanks Marek for the clarity on the mapping of LDAP attributes to attributes of user account. It gives us more confidence now moving forward with our implementation. <br><br>Thanks,<br>Robin</div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Oct 31, 2014 at 5:41 AM, Marek Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Hi,<br>
<br>
for servers like OpenLDAP it's supposed that "uid" contains
username of the user (and I think that if you change "Vendor"
combobox to "Other", it will also change the "Username LDAP
Attribute" too). Using "cn" is supposed to be used mainly for
servers like Active Directory.<br>
<br>
The root issue is, that right now we don't support dynamic mapping
of LDAP attributes to attributes of user account. For servers like
OpenLDAP we have some hard-coded mapping (like "cn" from LDAP is
mapped to user's firstName in Keycloak, "sn" from LDAP is mapped
to user's lastName in Keycloak and "mail" from LDAP is mapped to
user's email in KC).<br>
<br>
We have plan to support dynamic attributes mapping in the future,
so you will be able to configure that for example: "cn" is mapped
to Keycloak username, "givenName" is mapped to firstName, "sn" to
lastName etc. JIRA is already created
<a href="https://issues.jboss.org/browse/KEYCLOAK-599" target="_blank">https://issues.jboss.org/browse/KEYCLOAK-599</a> but right now, it's
maybe not the biggest priority (feel free to vote in JIRA if you
want prioritize)<span class="HOEnZb"><font color="#888888"><br>
<br>
Marek</font></span><div><div class="h5"><br>
<br>
On 29.10.2014 19:54, robinfernandes . wrote:<br>
</div></div></div><div><div class="h5">
<blockquote type="cite">
<div dir="ltr">Hi,<br>
<br>
We are also testing with the same OpenLDAP version and the
connection is not a problem. The "Test Authentication" and the
"Test Connection" works just fine.<br>
Below are the screenshots of my configuration. <span style="font-family:arial,sans-serif;font-size:13px">In the
LDAP Provider Settings in Keycloak if we use "<b>Username LDAP
attribute = uid</b>" it works well. However if we use "<b>Username
LDAP attribute = cn</b>" it fails to authenticate. Have u
faced a similar problem?</span><br>
<br>
<img src="cid:part1.08020401.05040600@redhat.com" alt="Inline
image 1">
<div><br>
<span></span><br>
<br>
<img src="cid:part2.08070901.09010002@redhat.com" alt="Inline
image 2"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Oct 24, 2014 at 2:52 AM,
Marek Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Hi,<br>
<br>
we are testing with OpenLDAP 2.4 and works fine. Are
you using different version?<br>
<br>
Also can't be problem in the slow connection to LDAP
server? On LDAP configuration screen in Keycloak
admin console, you can try "Test Connection" or
"Test Authentication" . Works this well for you?<br>
<br>
If connection is not a problem, maybe you can send
exception stacktrace and your LDAP configuration
(Once you configure LDAP, there should be message in
server.log like "INFO
[org.keycloak.picketlink.ldap.PartitionManagerRegistry]
Creating new LDAP based partition manager for the
Federation provider...." with details about LDAP
configuration. It may help if you send it here as
well)<br>
<br>
Thanks,<br>
Marek
<div>
<div><br>
<br>
On 23.10.2014 17:13, robinfernandes . wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div>
<div dir="ltr">Hi guys,<br>
<br>
I am using <b>Keycloak 1.0.1</b> final and I
have integrated it with <b>OpenLDAP</b>.<br>
When I try to authenticate the user which is
in LDAP, it is not able to authenticate it and
the exception that comes up is "<span style="color:rgb(0,0,0)"><b><i>org.h2.jdbc.JdbcSQLException:
Timeout trying to lock table
"USER_ENTITY" ; "<br>
</i></b></span><br>
Is there anyone who has faced this problem? Is
there a way to set the lock table timeout to
be more than what it is by default?<br>
<br>
The other thing is, I tried authenticating
with <b>Active Directory </b>and it works
just fine. So I am guessing the problem is
limited to OpenLDAP.<br>
<br>
Any help would be appreciated.<br>
<br>
Thanks,<br>
Robin<br>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<pre>_______________________________________________
keycloak-user mailing list
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br></div>