<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">If you're not in a hurry, it will be
better to wait and put it into Keycloak 2.X. Right now, we are
around feature freeze for 1.X and the MSAD password history
support might mean a bit more refactoring and change in more
places. And right now, we don't have much time to properly
implement and test it due to other priority tasks TBH ;)<br>
<br>
Marek<br>
<br>
On 27/01/16 13:45, Edgar Vonk - Info.nl wrote:<br>
</div>
<blockquote cite="mid:15CC2C40-2975-4834-8D4D-0C57CA1532AB@info.nl"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
Ok will do. Thanks Marek!
<div class=""><br class="">
</div>
<div class="">Regarding my password policies/history issue: I was
trying to make my it into a pull request for you but I have not
finished quite yet. Considering the upcoming refactoring I now
wonder if that would be worth the trouble at this stage? We are
not in a big hurry with this feature in any case.</div>
<div class=""><br class="">
</div>
<div class="">cheers</div>
<div class=""><br class="">
<div>
<blockquote type="cite" class="">
<div class="">On 27 Jan 2016, at 13:38, Marek Posolda <<a
moz-do-not-send="true" href="mailto:mposolda@redhat.com"
class=""><a class="moz-txt-link-abbreviated" href="mailto:mposolda@redhat.com">mposolda@redhat.com</a></a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div bgcolor="#FFFFFF" text="#000000" class="">
<div class="moz-cite-prefix">Yes, feel free to create
JIRA for that.<br class="">
<br class="">
You're right. There is limitation, that at
registration time, just username is available to LDAP
federation provider. However it should be possible to
handle this in mapper. Either we can create new mapper
or add the option to current FullNameMapper, that it
will use username as fallback if fullname is not yet
available. LDAP doesn't have issue with renaming CN in
later phase. This mapper shouldn't be hard to do,
hopefully I can do it even in 1.9 or 1.10 release (not
like your previous request for password history, which
is a bit more tricky :) )<br class="">
<br class="">
For Keycloak 2.X we plan some refactoring of
federation SPI and user's management. So hopefully we
can handle it more properly and have all attributes
available even during federation registration.<br
class="">
<br class="">
Marek<br class="">
<br class="">
<br class="">
On 27/01/16 13:25, Edgar Vonk - <a
moz-do-not-send="true" href="http://info.nl"
class="">Info.nl</a> wrote:<br class="">
</div>
<blockquote
cite="mid:4CD4C082-4A49-4458-AF90-2DC0BA9CE833@info.nl"
type="cite" class="">
Hi,
<div class=""><br class="">
</div>
<div class="">I would like to use the Full Name User
Federation Mapper to set the CN attribute in Active
Directory from Keycloak. If I am not mistaken this
is currently not possible in Keycloak because on
creation of the user the only thing that is
available is the username and no other user
attributes (see
UserFederationManager#addUser(RealmModel realm,
String username).</div>
<div class=""><br class="">
</div>
<div class="">Since the CN is mandatory it needs to be
set during creation of the user object in AD (and in
any LDAP server). With our current configuration
with the Full Name mapper enabled and configured to
map to the CN attribute we cannot create users from
Keycloak since the full name (as well as the first
and last name) and hence the CN are still empty on
user creation:</div>
<div class=""><br class="">
</div>
<div class="">
<table style="font-family: Arial, sans-serif;
font-size: 1em; widows: 1; background-color:
rgb(245, 245, 245); line-height: 1.4em
!important;" class="" border="0" width="100%"
cellpadding="0" cellspacing="0">
<tbody class="">
<tr id="syntaxplugin_code_and_gutter" class="">
<td style="padding: 0em; vertical-align: top;
line-height: 1.4em !important;" class="">
<pre style="margin: 10px 10px 0px; padding: 0px; font-size: 1em; width: auto;" class=""><span style="font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important;" class="">10:03:56,246 ERROR [org.keycloak.services.resources.ModelExceptionMapper] (default task-5) Error creating subcontext [cn= ,ou=Customers,dc=hf,dc=info,dc=nl]: org.keycloak.models.ModelException: Error creating subcontext [cn= ,ou=Customers,dc=hf,dc=info,dc=nl]</span></pre>
</td>
</tr>
<tr id="syntaxplugin_code_and_gutter" class="">
<td style="padding: 0em; vertical-align: top;
line-height: 1.4em !important;" class="">
<pre style="margin: 0px 10px; padding: 0px; font-size: 1em; width: auto;" class=""><span style="font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important;" class=""> at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.createSubContext(LDAPOperationManager.java:425)</span></pre>
</td>
</tr>
<tr id="syntaxplugin_code_and_gutter" class="">
<td style="padding: 0em; vertical-align: top;
line-height: 1.4em !important;" class="">
<pre style="margin: 0px 10px; padding: 0px; font-size: 1em; width: auto;" class=""><span style="font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important;" class=""> at org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore.add(LDAPIdentityStore.java:75)</span></pre>
</td>
</tr>
<tr id="syntaxplugin_code_and_gutter" class="">
<td style="padding: 0em; vertical-align: top;
line-height: 1.4em !important;" class="">
<pre style="margin: 0px 10px; padding: 0px; font-size: 1em; width: auto;" class=""><span style="font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important;" class=""> at org.keycloak.federation.ldap.LDAPUtils.addUserToLDAP(LDAPUtils.java:50)</span></pre>
</td>
</tr>
<tr id="syntaxplugin_code_and_gutter" class="">
<td style="padding: 0em; vertical-align: top;
line-height: 1.4em !important;" class="">
<pre style="margin: 0px 10px; padding: 0px; font-size: 1em; width: auto;" class=""><span style="font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important;" class=""> at org.keycloak.federation.ldap.LDAPFederationProvider.register(LDAPFederationProvider.java:154)</span></pre>
</td>
</tr>
<tr id="syntaxplugin_code_and_gutter" class="">
<td style="padding: 0em; vertical-align: top;
line-height: 1.4em !important;" class="">
<pre style="margin: 0px 10px; padding: 0px; font-size: 1em; width: auto;" class=""><span style="font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important;" class=""> at org.keycloak.models.UserFederationManager.registerWithFederation(UserFederationManager.java:56)</span></pre>
</td>
</tr>
<tr id="syntaxplugin_code_and_gutter" class="">
<td style="padding: 0em; vertical-align: top;
line-height: 1.4em !important;" class="">
<pre style="margin: 0px 10px; padding: 0px; font-size: 1em; width: auto;" class=""><span style="font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important;" class=""> at org.keycloak.models.UserFederationManager.addUser(UserFederationManager.java:48)</span></pre>
</td>
</tr>
<tr id="syntaxplugin_code_and_gutter" class="">
<td style="padding: 0em; vertical-align: top;
line-height: 1.4em !important;" class="">
<pre style="margin: 0px 10px; padding: 0px; font-size: 1em; width: auto;" class=""><span style="font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important;" class=""> at org.keycloak.services.resources.admin.UsersResource.createUser(UsersResource.java:190)</span></pre>
</td>
</tr>
</tbody>
</table>
<div class=""><br class="">
</div>
</div>
<div class=""><br class="">
</div>
<div class="">If I am not mistaken the way Keycloak
creates users is by first creating an ‘empty’ user
with only the username set and after that the user
is updated with all user attributes like firstname,
last name, email etc.</div>
<div class=""><br class="">
</div>
<div class="">The only workaround we can find is to
add an attribute mapper that maps the Keycloak
username field to the CN LDAP/AD attribute. This
works ok but it different from how AD treats the CN
which is as the full name and not the user name.</div>
<div class=""><br class="">
</div>
<div class="">Shall I create a JIRA issue for this?</div>
<div class=""><br class="">
</div>
<div class="">cheers</div>
<br class="">
<fieldset class="mimeAttachmentHeader"></fieldset>
<br class="">
<pre class="" wrap="">_______________________________________________
keycloak-user mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br class="">
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</blockquote>
<br>
</body>
</html>