<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Thanks for the info Kevin. I've also
created <a class="moz-txt-link-freetext" href="https://issues.jboss.org/browse/KEYCLOAK-1490">https://issues.jboss.org/browse/KEYCLOAK-1490</a> for the sync
issue. Will try to address both issues for the next release. Will
let you know once it's fixed in master if you want to try it
before the next release is out.<br>
<br>
Marek<br>
<br>
Dne 19.6.2015 v 17:45 Kevin Thorpe napsal(a):<br>
</div>
<blockquote
cite="mid:CAFMa6BYF1ZY99_0jedDPK2J=45qioZXERJ918SK1QJc1Ofrvng@mail.gmail.com"
type="cite">
<div dir="ltr">I agree with you on the delimiter option. That
wouldn't require any database changes. For the small
<div>attribute applications I could wrap into a delimited string
but we have some others for fine grained</div>
<div>permissions/roles that can be dozens of already delimited
strings. Roles in particular are:</div>
<div> application|role|path/that/role/represents</div>
<div>I know it's very common to have multi-attributes in LDAP
anyway so this will affect others.</div>
<div><br>
</div>
<div>JIRA: <a moz-do-not-send="true"
href="https://issues.jboss.org/browse/KEYCLOAK-1487">https://issues.jboss.org/browse/KEYCLOAK-1487</a></div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div class="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div><font color="#000000"><b>Kevin Thorpe<br>
</b></font></div>
<div>CTO<br>
</div>
<div><br>
</div>
<div><a moz-do-not-send="true"
href="https://www.p-i.net/" target="_blank"><img
src="cid:part2.07060703.02050505@redhat.com"></a>
<a moz-do-not-send="true"
href="https://twitter.com/@PI_150" target="_blank"><img
src="cid:part4.01000303.07020309@redhat.com"></a><br>
</div>
<div><br>
</div>
<div><a moz-do-not-send="true"
href="http://www.p-i.net/" target="_blank">www.p-i.net</a> | <a
moz-do-not-send="true"
href="https://twitter.com/@PI_150" target="_blank">@PI_150</a><br>
</div>
<div><span style="color:rgb(81,81,81)"><br>
</span></div>
<div><span style="color:rgb(81,81,81)">M: <a
moz-do-not-send="true" value="+447921676683">+44
(0)7425 160 368</a> | T: <a
moz-do-not-send="true" value="+442030056750">+44
(0)203 005 6750</a> | F: <a
moz-do-not-send="true" value="+442077302635">+44(0)207
730 2635</a></span><br>
</div>
<div><font color="#515151">150 Buckingham Palace
Road, </font><span style="color:rgb(81,81,81)">London,
SW1W 9TR, UK</span></div>
<div><br>
<b><span style="color:rgb(11,83,148)"> <img
moz-do-not-send="true"
src="https://clients.p-i.net/documents/11003/1116416/BSI-UKAS.logo.jpg/81028530-5f84-4598-825b-f6465a83bae1?t=1416563040000">
<img moz-do-not-send="true"
src="https://clients.p-i.net/documents/11003/1116416/ISO27001-2013.logo.jpeg/145aebe0-c393-49d7-8e1d-44c3c4d451dc?t=1416563040000">
<img moz-do-not-send="true"
src="https://clients.p-i.net/documents/11003/1116416/QMS.logo.jpeg/3925220d-bdad-40c3-b284-102c365c7b85?t=1416563040000"
height="36" width="64"><img
moz-do-not-send="true"
src="https://clients.p-i.net/documents/11003/1116416/pci.png/773a04d4-f6ce-4b7a-8a22-818f518f0459?t=1421160152000"
height="44" width="116"></span></b></div>
<div><font size="1">_____________________________ </font></div>
<p><font size="1">This email and any files transmitted
with it are confidential and intended solely for
the use of the individual or entity to whom they
are addressed. If you have received this email in
error please notify the system manager. This
message contains confidential information and is
intended only for the individual named. If you are
not the named addressee you should not
disseminate, distribute or copy this e-mail.
Please notify the sender immediately by e-mail if
you have received this e-mail by mistake and
delete this e-mail from your system. If you are
not the intended recipient you are notified that
disclosing, copying, distributing or taking any
action in reliance on the contents of this
information is strictly prohibited.</font></p>
<p><b>"<span style="color:rgb(11,83,148)"><font>SAVE
PAPER - THINK BEFORE YOU PRINT!</font></span>"
</b></p>
</div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">On 19 June 2015 at 15:22, Marek Posolda
<span dir="ltr"><<a moz-do-not-send="true"
href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Ouch, this is a bug<span><span> :-( </span></span><br>
<br>
Feel free to create JIRA. <br>
<br>
The UserModel in Keycloak DB has each attribute modelled
as one string value. But I think I can address it with
the usage of some delimiter and then for access token
has the protocol mapper, which will handle it. <br>
<br>
So for example if your LDAP user has 3 values of
attribute "applications" with values "finance", "sales",
"development", the attribute on the Keycloak UserModel
will have value like "finance###sales###development"
(The sequence ### will be used as delimiter), but for
the access token it will be divided again. So in your
application, you will have possibility to have something
like:<br>
<br>
Set<String> applications =
accessToken.getOtherClaims().getAttribute("applications");<br>
<br>
which will return set with 3 values "finance", "sales",
"development".<span class="HOEnZb"><font color="#888888"><br>
<br>
Marek</font></span>
<div>
<div class="h5"><br>
<br>
On 19.6.2015 15:22, Kevin Thorpe wrote:<br>
</div>
</div>
</div>
<div>
<div class="h5">
<blockquote type="cite">
<div dir="ltr">Ok, I think I understand. I tried
'sync all users' and got an error. Is this because
applications is a multiple
<div>attribute? Obviously I will probably have
access to more than one application. In the
meantime I'll try a brand </div>
<div>new user and see if that works.<br>
<div><br>
</div>
<div>Log shows:
<div><br>
</div>
<div>
<div>2015-06-19 14:19:26,361 INFO
[org.keycloak.federation.ldap.LDAPFederationProviderFactory]
(default task-2) Sync all users from LDAP
to local store: realm: master, federation
provider: PI ordinary users</div>
<div>2015-06-19 14:19:26,611 ERROR
[io.undertow.request] (default task-2)
UT005023: Exception handling request to
/auth/admin/realms/master/user-federation/instances/141db483-1f5c-412f-acbb-0ea642015798/sync:
java.lang.RuntimeException: request path:
/auth/admin/realms/master/user-federation/instances/141db483-1f5c-412f-acbb-0ea642015798/sync</div>
<div> at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:54)</div>
<div> at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)</div>
<div> at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)</div>
<div> at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)</div>
<div> at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)</div>
<div> at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)</div>
<div> at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)</div>
<div> at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</div>
<div> at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)</div>
<div> at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)</div>
<div> at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</div>
<div> at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)</div>
<div> at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)</div>
<div> at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)</div>
<div> at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72)</div>
<div> at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)</div>
<div> at
io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)</div>
<div> at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</div>
<div> at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)</div>
<div> at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</div>
<div> at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</div>
<div> at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:274)</div>
<div> at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:253)</div>
<div> at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)</div>
<div> at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172)</div>
<div> at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)</div>
<div> at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)</div>
<div> at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)</div>
<div> at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)</div>
<div> at
java.lang.Thread.run(Thread.java:745)</div>
<div>Caused by:
org.jboss.resteasy.spi.UnhandledException:
java.lang.ClassCastException:
java.util.TreeSet cannot be cast to
java.lang.String</div>
<div> at
org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)</div>
<div> at
org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)</div>
<div> at
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149)</div>
<div> at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)</div>
<div> at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)</div>
<div> at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)</div>
<div> at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)</div>
<div> at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)</div>
<div> at
javax.servlet.http.HttpServlet.service(HttpServlet.java:790)</div>
<div> at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)</div>
<div> at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)</div>
<div> at
org.keycloak.services.filters.ClientConnectionFilter.doFilter(ClientConnectionFilter.java:41)</div>
<div> at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)</div>
<div> at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)</div>
<div> at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:40)</div>
<div> ... 29 more</div>
<div>Caused by:
java.lang.ClassCastException:
java.util.TreeSet cannot be cast to
java.lang.String</div>
<div> at
org.keycloak.federation.ldap.mappers.UserAttributeLDAPFederationMapper.onImportUserFromLDAP(UserAttributeLDAPFederationMapper.java:60)</div>
<div> at
org.keycloak.federation.ldap.LDAPFederationProvider.importLDAPUsers(LDAPFederationProvider.java:404)</div>
<div> at
org.keycloak.federation.ldap.LDAPFederationProviderFactory.importLdapUsers(LDAPFederationProviderFactory.java:269)</div>
<div> at
org.keycloak.federation.ldap.LDAPFederationProviderFactory$1.run(LDAPFederationProviderFactory.java:223)</div>
<div> at
org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:241)</div>
<div> at
org.keycloak.federation.ldap.LDAPFederationProviderFactory.syncImpl(LDAPFederationProviderFactory.java:219)</div>
<div> at
org.keycloak.federation.ldap.LDAPFederationProviderFactory.syncAllUsers(LDAPFederationProviderFactory.java:177)</div>
<div> at
org.keycloak.services.managers.UsersSyncManager.syncAllUsers(UsersSyncManager.java:50)</div>
<div> at
org.keycloak.services.resources.admin.UserFederationProviderResource.syncUsers(UserFederationProviderResource.java:144)</div>
<div> at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)</div>
<div> at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)</div>
<div> at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)</div>
<div> at
java.lang.reflect.Method.invoke(Method.java:497)</div>
<div> at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)</div>
<div> at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)</div>
<div> at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)</div>
<div> at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)</div>
<div> at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)</div>
<div> at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)</div>
<div> at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)</div>
<div> at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)</div>
<div> at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)</div>
<div> at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)</div>
<div> at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)</div>
<div> at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)</div>
<div> ... 40 more</div>
</div>
<div><br>
</div>
</div>
</div>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div><font color="#000000"><b>Kevin
Thorpe<br>
</b></font></div>
<div>CTO<br>
</div>
<div><br>
</div>
<div><a moz-do-not-send="true"
href="https://www.p-i.net/"
target="_blank"><img
src="cid:part16.05090605.06050004@redhat.com"></a>
<a moz-do-not-send="true"
href="https://twitter.com/@PI_150"
target="_blank"><img
src="cid:part18.06030705.01070407@redhat.com"></a><br>
</div>
<div><br>
</div>
<div><a moz-do-not-send="true"
href="http://www.p-i.net/"
target="_blank">www.p-i.net</a> | <a
moz-do-not-send="true"
href="https://twitter.com/@PI_150"
target="_blank">@PI_150</a><br>
</div>
<div><span style="color:rgb(81,81,81)"><br>
</span></div>
<div><span style="color:rgb(81,81,81)">M: <a
moz-do-not-send="true"
value="+447921676683">+44 (0)7425
160 368</a> | T: <a
moz-do-not-send="true"
value="+442030056750">+44 (0)203
005 6750</a> | F: <a
moz-do-not-send="true"
value="+442077302635">+44(0)207
730 2635</a></span><br>
</div>
<div><font color="#515151">150
Buckingham Palace Road, </font><span
style="color:rgb(81,81,81)">London,
SW1W 9TR, UK</span></div>
<div><br>
<b><span style="color:rgb(11,83,148)">
<img moz-do-not-send="true"
src="https://clients.p-i.net/documents/11003/1116416/BSI-UKAS.logo.jpg/81028530-5f84-4598-825b-f6465a83bae1?t=1416563040000">
<img moz-do-not-send="true"
src="https://clients.p-i.net/documents/11003/1116416/ISO27001-2013.logo.jpeg/145aebe0-c393-49d7-8e1d-44c3c4d451dc?t=1416563040000">
<img moz-do-not-send="true"
src="https://clients.p-i.net/documents/11003/1116416/QMS.logo.jpeg/3925220d-bdad-40c3-b284-102c365c7b85?t=1416563040000"
height="36" width="64"><img
moz-do-not-send="true"
src="https://clients.p-i.net/documents/11003/1116416/pci.png/773a04d4-f6ce-4b7a-8a22-818f518f0459?t=1421160152000"
height="44" width="116"></span></b></div>
<div><font size="1">_____________________________ </font></div>
<p><font size="1">This email and any
files transmitted with it are
confidential and intended solely for
the use of the individual or entity
to whom they are addressed. If you
have received this email in error
please notify the system manager.
This message contains confidential
information and is intended only for
the individual named. If you are not
the named addressee you should not
disseminate, distribute or copy this
e-mail. Please notify the sender
immediately by e-mail if you have
received this e-mail by mistake and
delete this e-mail from your system.
If you are not the intended
recipient you are notified that
disclosing, copying, distributing or
taking any action in reliance on the
contents of this information is
strictly prohibited.</font></p>
<p><b>"<span
style="color:rgb(11,83,148)"><font>SAVE
PAPER - THINK BEFORE YOU PRINT!</font></span>"
</b></p>
</div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">On 19 June 2015 at 13:50,
Marek Posolda <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:mposolda@redhat.com"
target="_blank">mposolda@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Thanks for the info. Now I think I know
what's going on.<br>
<br>
The issue is that currently when we import
users from LDAP (federation in general),
we sync the configured attributes to the
Keycloak DB. But during searching, we
don't sync the attributes from LDAP to
Keycloak DB anymore. So I guess you did
the steps like this:<br>
- You first authenticate as LDAP user
"joe" (or search this user from admin
console), which imported this user into
Keycloak DB<br>
- Then you created mapper for the
'applications' attribute. But user 'joe'
was already imported into Keycloak DB from
the previous step, right?<br>
<br>
I believe that when you import some other
user from LDAP, which is not yet exist in
Keycloak DB, the 'applications' attribute
will be there. For the existing user, the
only possibility right now is to use
"Synchronize all users" or "Synchronize
changed users" on LDAP federation screen.
This will update existing users into
Keycloak DB as well, so 'joe' will be
updated.<br>
<br>
Please let me know if it helps. Looks
that it's something we should address
better in Keycloak.<span><font
color="#888888"><br>
<br>
Marek</font></span>
<div>
<div><br>
<br>
On 19.6.2015 11:56, Kevin Thorpe
wrote:<br>
</div>
</div>
</div>
<div>
<div>
<blockquote type="cite">
<div dir="ltr">I had a hunch so I
added a record in USER_ATTRIBUTE for
applications and it is getting
passed
<div>in the JWT claims now. That
squarely points at the ldap
federation part.</div>
</div>
<div class="gmail_extra"><br
clear="all">
<div>
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div><font color="#000000"><b>Kevin
Thorpe<br>
</b></font></div>
<div>CTO<br>
</div>
<div><br>
</div>
<div><a
moz-do-not-send="true"
href="https://www.p-i.net/" target="_blank"><img
src="cid:part30.01000507.01040806@redhat.com"></a>
<a
moz-do-not-send="true"
href="https://twitter.com/@PI_150" target="_blank"><img
src="cid:part32.04010500.05090407@redhat.com"></a><br>
</div>
<div><br>
</div>
<div><a
moz-do-not-send="true"
href="http://www.p-i.net/" target="_blank">www.p-i.net</a> | <a
moz-do-not-send="true"
href="https://twitter.com/@PI_150" target="_blank">@PI_150</a><br>
</div>
<div><span
style="color:rgb(81,81,81)"><br>
</span></div>
<div><span
style="color:rgb(81,81,81)">M: <a
moz-do-not-send="true" value="+447921676683">+44 (0)7425 160 368</a> |
T: <a
moz-do-not-send="true"
value="+442030056750">+44 (0)203 005 6750</a> | F: <a
moz-do-not-send="true"
value="+442077302635">+44(0)207 730 2635</a></span><br>
</div>
<div><font color="#515151">150
Buckingham Palace
Road, </font><span
style="color:rgb(81,81,81)">London,
SW1W 9TR, UK</span></div>
<div><br>
<b><span
style="color:rgb(11,83,148)">
<img
moz-do-not-send="true">
<img
moz-do-not-send="true">
<img
moz-do-not-send="true"
height="36"
width="64"><img
moz-do-not-send="true"
height="44"
width="116"></span></b></div>
<div><font size="1">_____________________________ </font></div>
<p><font size="1">This
email and any files
transmitted with it
are confidential and
intended solely for
the use of the
individual or entity
to whom they are
addressed. If you have
received this email in
error please notify
the system manager.
This message contains
confidential
information and is
intended only for the
individual named. If
you are not the named
addressee you should
not disseminate,
distribute or copy
this e-mail. Please
notify the sender
immediately by e-mail
if you have received
this e-mail by mistake
and delete this e-mail
from your system. If
you are not the
intended recipient you
are notified that
disclosing, copying,
distributing or taking
any action in reliance
on the contents of
this information is
strictly prohibited.</font></p>
<p><b>"<span
style="color:rgb(11,83,148)"><font>SAVE
PAPER - THINK
BEFORE YOU PRINT!</font></span>"
</b></p>
</div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">On 19 June
2015 at 10:42, Kevin Thorpe <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:kevin.thorpe@p-i.net"
target="_blank">kevin.thorpe@p-i.net</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div dir="ltr">Hi Marek, thanks
for the quick reply.
<div><br>
</div>
<div>1. I am definitely sure
that the attributes I need
are in the LDAP record.</div>
<div><br>
</div>
<div>2. adding trace to
federation.ldap shows my
mapped attributes being read</div>
<div><br>
</div>
<div>3. there is no
USER_ATTRIBUTES table I'm
assuming you meant
USER_ATTRIBUTE but it
doesn't have my attributes.</div>
<div> it does have a
reference to my LDAP_ID so
i8t looks like it should be
here</div>
<div><br>
</div>
<div>
<div>MariaDB [keycloak]>
select * from
USER_ATTRIBUTE;</div>
<div><font face="monospace,
monospace">+---------+-------------------------------------+--------------------------------------+</font></div>
<div><font face="monospace,
monospace">| NAME |
VALUE
| USER_ID
|</font></div>
<div><font face="monospace,
monospace">+---------+-------------------------------------+--------------------------------------+</font></div>
<div><font face="monospace,
monospace">| LDAP_ID |
7fc89601-96e711e2-a5a7b2a9-738d4470
|
471f0b4f-cb7c-4610-b3d6-ddd3a18e9986
|</font></div>
<div><font face="monospace,
monospace">| LDAP_ID |
3245fc81-55c211e2-a5a7b2a9-738d4470
|
6d64f5a2-d356-4ab6-9b4d-3f89a3ee38c4
|</font></div>
<div><font face="monospace,
monospace">+---------+-------------------------------------+--------------------------------------+</font></div>
</div>
<div><br>
</div>
<div>thanks for your time on
this</div>
</div>
<div class="gmail_extra"><br
clear="all">
<div>
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div><font
color="#000000"><b>Kevin
Thorpe<br>
</b></font></div>
<div>CTO<br>
</div>
<div><br>
</div>
<div><a
moz-do-not-send="true"
href="https://www.p-i.net/" target="_blank"><img
src="cid:part30.01000507.01040806@redhat.com"></a>
<a
moz-do-not-send="true"
href="https://twitter.com/@PI_150" target="_blank"><img
src="cid:part32.04010500.05090407@redhat.com"></a><br>
</div>
<div><br>
</div>
<div><a
moz-do-not-send="true"
href="http://www.p-i.net/" target="_blank">www.p-i.net</a> | <a
moz-do-not-send="true"
href="https://twitter.com/@PI_150" target="_blank">@PI_150</a><br>
</div>
<div><span
style="color:rgb(81,81,81)"><br>
</span></div>
<div><span
style="color:rgb(81,81,81)">M: <a
moz-do-not-send="true" value="+447921676683">+44 (0)7425 160 368</a> |
T: <a
moz-do-not-send="true"
value="+442030056750">+44 (0)203 005 6750</a> | F: <a
moz-do-not-send="true"
value="+442077302635">+44(0)207 730 2635</a></span><br>
</div>
<div><font
color="#515151">150
Buckingham
Palace Road, </font><span
style="color:rgb(81,81,81)">London, SW1W 9TR, UK</span></div>
<div><br>
<b><span
style="color:rgb(11,83,148)">
<img
moz-do-not-send="true">
<img
moz-do-not-send="true">
<img
moz-do-not-send="true"
height="36"
width="64"><img
moz-do-not-send="true" height="44" width="116"></span></b></div>
<div><font size="1">_____________________________ </font></div>
<p><font size="1">This
email and any
files
transmitted with
it are
confidential and
intended solely
for the use of
the individual
or entity to
whom they are
addressed. If
you have
received this
email in error
please notify
the system
manager. This
message contains
confidential
information and
is intended only
for the
individual
named. If you
are not the
named addressee
you should not
disseminate,
distribute or
copy this
e-mail. Please
notify the
sender
immediately by
e-mail if you
have received
this e-mail by
mistake and
delete this
e-mail from your
system. If you
are not the
intended
recipient you
are notified
that disclosing,
copying,
distributing or
taking any
action in
reliance on the
contents of this
information is
strictly
prohibited.</font></p>
<p><b>"<span
style="color:rgb(11,83,148)"><font>SAVE
PAPER - THINK
BEFORE YOU
PRINT!</font></span>"
</b></p>
</div>
</div>
</div>
</div>
</div>
<div>
<div> <br>
<div class="gmail_quote">On
19 June 2015 at 10:15,
Marek Posolda <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px
#ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF"
text="#000000">
<div>There are few
steps here and the
result will work
only if all steps
success. So it
might help to try
which step could
be wrong here:<br>
<br>
1) You can
doublecheck if
your user really
has 'applications'
attribute in LDAP<br>
<br>
2) If (1) is ok,
you can enable
TRACE logging for
"org.keycloak.federation.ldap"
category in
standalone.xml .
With it, you
should see some
trace messages
with the names and
values of all LDAP
attributes, which
are loaded in user
record. You should
see the
'applications'
attribute loaded<br>
<br>
3) If (2) is ok,
you can browse
keycloak database
and check if
attribute
'applications' is
really here. The
user attributes
are saved in table
USER_ATTRIBUTES.
Currently it's not
possible to browse
user attributes
generically in
admin console
(unless you do
custom theme) so
browse DB seems to
be the only
possibility.<br>
<br>
4) If (3) is ok,
the issue is not
in LDAP
interaction, but
in protocol mapper
configuration.
Make sure you use
correct protocol
mapper (In your
case it should be
"User attributes"
mapper, not "User
property" mapper).
Also if your
application is
Java based, the
value of
'applications'
claim is saved in
accessToken in
'otherClaims' map
and can be
retrieved with
something like:
accessToken.getOtherClaims().get("applications");<br>
<br>
Marek
<div>
<div><br>
<br>
<br>
On 18.6.2015
17:50, Kevin
Thorpe wrote:<br>
</div>
</div>
</div>
<blockquote
type="cite">
<div>
<div>
<div dir="ltr">
<div>Thanks to
the team for
1.3.1. We were
eagerly
waiting for
that to add
LDAP attribute
mappings which
I see has now
been done.
Unfortunately
I can't seem
to get it to
work.</div>
<div><br>
</div>
<div>I have
added a user
attribute
mapper to my
ldap
federation.
This maps the
LDAP atribute
'applications'
which exists
on my LDAP
user record to
'applications'
in Keycloak. </div>
<div><br>
</div>
<div>I have
also added a
user attribute
token mapper
to my Keycloak
client
definition to
map user
attribute
'applications'
to token claim
'applications'.
I've also
asked to add
to both id and
access token.</div>
<div><br>
</div>
<div>However
this attribute
is not present
in either the
ID or access
token when
testing. Is
there
something I've
missed? </div>
<div><br>
</div>
<div>Something
that may be an
issue though
is that I'm
using a home
written
openid-connect
Lua client
based on your
javascript
one. This uses
the endpoint
/auth/realms/master/protocol/openid-connect/token.
Is it that the
openid-connect
endpoint
doesn't
support these
attributes
yet?</div>
<br
clear="all">
<div>
<div>
<div dir="ltr">
<div dir="ltr">
<div><font
color="#000000"><b>Kevin
Thorpe<br>
</b></font></div>
<div>CTO, PI
ltd<br>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<pre>_______________________________________________
keycloak-user mailing list
<a moz-do-not-send="true" href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a moz-do-not-send="true" href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>