<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 08/01/16 15:02, Mahantesh Prasad
Katti wrote:<br>
</div>
<blockquote
cite="mid:83FA22EE27AA7949A5F616D4DD6AF71E16413655@INBLRMBX002.INDECOMM.LOCAL"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 12 (filtered
medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.Section1
{page:Section1;}
/* List Definitions */
@list l0
{mso-list-id:483349854;
mso-list-type:hybrid;
mso-list-template-ids:1969105716 1074331663 1074331673 1074331675 1074331663 1074331673 1074331675 1074331663 1074331673 1074331675;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1
{mso-list-id:856890120;
mso-list-type:hybrid;
mso-list-template-ids:-1663537090 1074331663 1074331673 1074331675 1074331663 1074331673 1074331675 1074331663 1074331673 1074331675;}
@list l1:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level2
{mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level3
{mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level4
{mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level5
{mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level6
{mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level7
{mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level8
{mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level9
{mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
-->
</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="Section1">
<p class="MsoNormal"><span style="color:#1F497D">Thanks Marek. I
looked at the built in example. I am looking for a couple of
details.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoListParagraph"
style="text-indent:-18.0pt;mso-list:l0 level1 lfo3"><!--[if !supportLists]--><span
style="color:#1F497D"><span style="mso-list:Ignore">1.<span
style="font:7.0pt "Times New Roman"">
</span></span></span><!--[endif]--><span
style="color:#1F497D">What is the bind password for the
embedded apache ds?</span></p>
</div>
</blockquote>
secret<br>
<br>
See the property bindCredential in ldaprealm.json document<br>
<blockquote
cite="mid:83FA22EE27AA7949A5F616D4DD6AF71E16413655@INBLRMBX002.INDECOMM.LOCAL"
type="cite">
<div class="Section1">
<p class="MsoListParagraph"
style="text-indent:-18.0pt;mso-list:l0 level1 lfo3"><span
style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoListParagraph"
style="text-indent:-18.0pt;mso-list:l0 level1 lfo3"><!--[if !supportLists]--><span
style="color:#1F497D"><span style="mso-list:Ignore">2.<span
style="font:7.0pt "Times New Roman"">
</span></span></span><!--[endif]--><span
style="color:#1F497D">I had a quick look at the
ldaprealm.json document. It turned out that group name and
the realm role name are identical. Is that a requirement for
role-group mapping to work in keycloak?</span></p>
</div>
</blockquote>
ATM yes. You may need to override RoleLDAPFederationMapper if you
have more fancy requirements around this.<br>
<blockquote
cite="mid:83FA22EE27AA7949A5F616D4DD6AF71E16413655@INBLRMBX002.INDECOMM.LOCAL"
type="cite">
<div class="Section1">
<p class="MsoListParagraph"
style="text-indent:-18.0pt;mso-list:l0 level1 lfo3"><span
style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoListParagraph"
style="text-indent:-18.0pt;mso-list:l0 level1 lfo3"><!--[if !supportLists]--><span
style="color:#1F497D"><span style="mso-list:Ignore">3.<span
style="font:7.0pt "Times New Roman"">
</span></span></span><!--[endif]--><span
style="color:#1F497D">Also, is role to group mapping always
one to one? In our application, one role is invariably
mapped to multiple ldap groups.</span></p>
</div>
</blockquote>
I think you can create multiple Role LDAP federation mappers for
your federation provider. For example you can create mapper for 2
group trees "ou=roles1,dc=example,dc=com" and
"ou=roles2,dc=example,dc=com" . In that case, if you create keycloak
realm role "foo", it will be saved into LDAP into both
"cn=foo,ou=roles1,dc=example,dc=com" and
"cn=foo,ou=roles2,dc=example,dc=com" . If you assign some user into
the "foo" role in Keycloak, he will be always added as member into
both LDAP groups. The role mappings in Keycloak should be union of
both LDAP groups. For example if user "john" is declared as member
in any of "cn=foo,ou=roles1,dc=example,dc=com" or
"cn=foo,ou=roles2,dc=example,dc=com", he will be member of this role
in Keycloak.<br>
<br>
Marek<br>
<blockquote
cite="mid:83FA22EE27AA7949A5F616D4DD6AF71E16413655@INBLRMBX002.INDECOMM.LOCAL"
type="cite">
<div class="Section1">
<p class="MsoListParagraph"
style="text-indent:-18.0pt;mso-list:l0 level1 lfo3"><span
style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoListParagraph"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Prasad<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:
"Tahoma","sans-serif";color:windowtext" lang="EN-US">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"
lang="EN-US"> Marek Posolda [<a class="moz-txt-link-freetext" href="mailto:mposolda@redhat.com">mailto:mposolda@redhat.com</a>]
<br>
<b>Sent:</b> Monday, January 04, 2016 3:17 PM<br>
<b>To:</b> Mahantesh Prasad Katti;
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<b>Subject:</b> Re: [keycloak-user] retrieving group
membership info from LDAP/AD<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On 30/12/15 18:42, Mahantesh Prasad Katti
wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">Hi All,<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">In our application, we integrate with
Microsoft AD for authenticating users. As part of the
authentication result, we also fetch group information for
the user authenticated. We also have a pre-defined
group-role mapping defined in the application server [This
is a JEE configuration file]. This helps decide whether a
particular user based on the role he belongs to can access a
resource or not. I read another thread “<a
moz-do-not-send="true"
href="http://lists.jboss.org/pipermail/keycloak-user/2015-December/003982.html">Apply
group membership filter on ldap login </a>” on similar
lines. Couple of clarifications.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoListParagraph"
style="text-indent:-18.0pt;mso-list:l1 level1 lfo2"><!--[if !supportLists]--><span
style="mso-list:Ignore">1.<span style="font:7.0pt
"Times New Roman"">
</span></span><!--[endif]-->Based on what I read there is
no feature to get roles and map them to specific roles in
keycloak and would be available in a future release. I just
wanted to understand if my reading of this is on the right
lines. Also, wanted to know if there’s a workaround for this
in the short term.<o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif"">The feature to get LDAP roles
and map them to specific roles in Keycloak is available. We
have LDAP Role Mapper (See documentation
<a moz-do-not-send="true"
href="http://keycloak.github.io/docs/userguide/keycloak-server/html/user_federation.html#ldap_mappers">http://keycloak.github.io/docs/userguide/keycloak-server/html/user_federation.html#ldap_mappers</a>
and our ldap example for details).<br>
<br>
The thread "Apply group membership filter on ldap login" is
more about restricting that some LDAP users are not able to
login at all (For example, specify that just users, which
are members of LDAP group
"cn=mygroup,o=myorg,dc=example,dc=com" are able to login and
all the other users are filtered). This will be available
from 1.8 release (it's in master already).<br>
<br>
<o:p></o:p></span></p>
<p class="MsoListParagraph"
style="text-indent:-18.0pt;mso-list:l1 level1 lfo2"><!--[if !supportLists]--><span
style="mso-list:Ignore">2.<span style="font:7.0pt
"Times New Roman"">
</span></span><!--[endif]-->Also does keycloak provide fine
grained access control on the lines of apache shiro?<o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif"">Keycloak provides SSO and
authentication. Once you authenticate, your application will
receive access token with the roles of user from Keycloak
(We have stuff like scope, protocol mappers etc, which
allows better control under what exactly will go to access
token. See docs and examples for details).<br>
<br>
Then it's up to the application how it interprets roles from
accessToken . The authorization needs to be actually done by
application itself (unless it's JEE application where we
have mapping of accessToken roles to JEE roles. Again see
examples). We have separate subproject under development
(no official release yet available), which will allow more
authorization possibilities.<br>
<br>
Marek<br>
<br>
<br>
<br>
<o:p></o:p></span></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Thanks<o:p></o:p></p>
<p class="MsoNormal">Prasad<o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif""><br>
<br>
<br>
<o:p></o:p></span></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>keycloak-user mailing list<o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><o:p></o:p></pre>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif""><o:p> </o:p></span></p>
</div>
</blockquote>
<br>
</body>
</html>