<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
color:black;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";
color:black;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor="white" lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Many thanks Marek!<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">By using: </span>- LDAP federation provider with edit mode = UNSYNCED<o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">A first test shows it works!<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">To be more precise my use case is:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Keycloak is the IDP for our products. Some customers have an LDAP, but their do not want we add our products(clients) roles/attributes in their LDAP.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">We configured ‘LDAP Federation provider’ as read-only (+ edit mode=UNSYNCED)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">We configured user/group/client with our specific products user roles+attributes.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">On client mappers we map attributes we needs on tokens.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Gerard<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"> keycloak-user-bounces@lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org]
<b>On Behalf Of </b>Marek Posolda<br>
<b>Sent:</b> lundi 29 février 2016 09:33<br>
<b>To:</b> Bill Burke; Jason Axley; keycloak-user@lists.jboss.org<br>
<b>Subject:</b> Re: [keycloak-user] user Attribute error<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">You can do this already though. You need to setup like:<br>
- LDAP federation provider must have edit mode UNSYNCED<br>
- LDAP mapper for your attribute must have "readOnly" to "on" and "alwaysReadValueFromLDAP" to "off". But this is default settings for the mapper for UNSYNCED edit mode anyway, so you don't need to explicitly configure anything in the mapper (you can just doublecheck
if mapper is really set like this)<br>
<br>
With setup like this, the attribute of user is read from LDAP during initial import of user from LDAP. But when you change attribute to some other value, the value is updated just to Keycloak DB (not to LDAP). And for all next reads of user, keycloak will see
the value from the DB (not the one from LDAP).<br>
<br>
Also you can add any new attribute to the user too. This will be always saved to Keycloak DB and never to LDAP.<br>
<br>
Marek<br>
<br>
On 27/02/16 01:07, Bill Burke wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal" style="margin-bottom:12.0pt">You have to code it yourself. Not sure if our ldap adapter is documented to do that or not.<o:p></o:p></p>
<div>
<p class="MsoNormal">On 2/26/2016 7:03 PM, Jason Axley wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div>
<p class="MsoNormal">Some Idm products provide a virtual-directory-like capability where you can manage derived attributes for users regardless of the origin data store. I could see it be advantageous to be able to layer metadata or other derived data on identities
to make things easier to consume in downstream systems. Would that be feasible in Keycloak?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">-Jason<o:p></o:p></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b>From: </b><<a href="mailto:keycloak-user-bounces@lists.jboss.org">keycloak-user-bounces@lists.jboss.org</a>> on behalf of Bill Burke <<a href="mailto:bburke@redhat.com">bburke@redhat.com</a>><br>
<b>Date: </b>Friday, February 26, 2016 at 1:00 PM<br>
<b>To: </b>"<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>" <<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>><br>
<b>Subject: </b>Re: [keycloak-user] user Attribute error<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Times New Roman","serif""><o:p> </o:p></span></p>
</div>
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Why do you expect to be able to add an attribute on a read-only LDAP? I'm confused...<o:p></o:p></p>
<div>
<p class="MsoNormal">On 2/26/2016 11:03 AM, Gerard Laissard wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span lang="FR">Hi,</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="FR"> </span><o:p></o:p></p>
<p class="MsoNormal">I’m using user Federation LDAP. The LDAP is read-only.<o:p></o:p></p>
<p class="MsoNormal">When I add a user Attribute, I get ‘Error! user is read-only!’<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">How can I add specific user attributes? <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Thanks<o:p></o:p></p>
<p class="MsoNormal">Gerard<o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><br>
<br>
<br>
<o:p></o:p></span></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>keycloak-user mailing list<o:p></o:p></pre>
<pre><a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><a href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><br>
<br>
<o:p></o:p></span></p>
<pre>-- <o:p></o:p></pre>
<pre>Bill Burke<o:p></o:p></pre>
<pre>JBoss, a division of Red Hat<o:p></o:p></pre>
<pre><a href="http://bill.burkecentral.com">http://bill.burkecentral.com</a><o:p></o:p></pre>
</div>
</div>
</blockquote>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><br>
<br>
<o:p></o:p></span></p>
<pre>-- <o:p></o:p></pre>
<pre>Bill Burke<o:p></o:p></pre>
<pre>JBoss, a division of Red Hat<o:p></o:p></pre>
<pre><a href="http://bill.burkecentral.com">http://bill.burkecentral.com</a><o:p></o:p></pre>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><br>
<br>
<br>
<o:p></o:p></span></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>keycloak-user mailing list<o:p></o:p></pre>
<pre><a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><o:p></o:p></pre>
<pre><a href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><o:p> </o:p></span></p>
</div>
</body>
</html>