<div dir="ltr">Hey Felipe,<div><br></div><div>not sure if this will work for your case BUT perhaps try the following:</div><div><br></div><div>1. In realm admin go to User Federation<br></div><div>2. select your AD provider</div><div>3. select mappers tab</div><div><div><br></div><div>4. click on create mapper</div><div>5. name is contactEmail</div><div>6. select type as User Attribute</div><div>7. user model attribute contactEmail</div><div>8. LDAP attribute: mail</div><div>9. Save</div><div><br></div><div>(you will also have to reconfigure email templates to use contactEmail instead of user model email)</div><div><br></div></div><div>10. click on email attribute mapper<br></div><div>11. change user model attribute to "unknown" which hopefully is not a user attribute in your ldap and will trigger email to be removed from user model once you load it in admin console or elsewhere</div><div>12. switch on "always read value from ldap" ! important !</div><div>13. Save</div><div><br></div><div>14. try to lookup your users in the the admin console</div><div><br></div><div>I was able to "remove" the unique constraint email field from a AD user that way, once this user model field is empty, you can work with these users again.</div><div><br></div><div>Let me know if you have any questions.</div><div>Niels</div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Jun 10, 2016 at 10:10 PM, Felipe Braun Azambuja <span dir="ltr"><<a href="mailto:felipe.braun@intelbras.com.br" target="_blank">felipe.braun@intelbras.com.br</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Niels,<br>
<br>
I've read the JIRA issue, but it's not _exactly_ the case. The problem<br>
I'm facing is because I have two entries with the same address in Active<br>
Directory, and I can't change the old one in Keycloak because I have AD<br>
federated in read only mode.<br>
<br>
If I change the 'mail' entry in the AD object, it is not synced again if<br>
the data already exists in Keycloak? I did a test now with my own user,<br>
and it still shows the old value.<span class=""><br>
<br>
Il 09/06/2016 18:58, Niels Bertram ha scritto:<br>
</span><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">
Hi Felipe,<br>
<br>
this topic was discusses some time back on the user forum. Jira<br></span>
KEYCLOAK-2141 <<a href="https://issues.jboss.org/browse/KEYCLOAK-2141" rel="noreferrer" target="_blank">https://issues.jboss.org/browse/KEYCLOAK-2141</a>> has some<span class=""><br>
background information on the issue you are facing. From what I can tell<br>
one will have to change the attribute mapping on the LDAP user<br>
federation provider to map email to a custom attribute (e.g.<br>
contact_email) and then also change the email template to use that field<br>
for email distribution instead.<br>
<br>
Cheers,<br>
Niels<br>
<br>
<br>
On Thu, Jun 9, 2016 at 9:41 PM, Felipe Braun Azambuja<br></span>
<<a href="mailto:felipe.braun@intelbras.com.br" target="_blank">felipe.braun@intelbras.com.br</a> <mailto:<a href="mailto:felipe.braun@intelbras.com.br" target="_blank">felipe.braun@intelbras.com.br</a>>><div><div class="h5"><br>
wrote:<br>
<br>
Hello all,<br>
<br>
We have Keycloak connected to our Active Directory (read only),<br>
everything working correctly, authenticating our employees. But there is<br>
a case that is a little complicated.<br>
<br>
When someone starts working here as a intern, the user has an employee<br>
ID with four digits. If a person is a regular employee, it has five<br>
digits. Windows login is made of the first 2 letters of the name, and<br>
then the ID number, zero padded, as in *fe001173*. But there are times<br>
that these interns are hired as employees, so the previous account is<br>
*disabled* in AD and a new one is created.<br>
<br>
The problem is that the e-mail address is the same. When this happens, I<br>
can't even search the user in Keycloak admin interface, because it says<br>
that it already has a user with the same e-mail. The old one is still<br>
there, though; but if I go to its details, I can't change the e-mail<br>
address, since it tries to sync it back to AD.<br>
<br>
So far, the solution was changing it directly in the database and<br>
restarting Keycloak, which is *not* a good thing to do.<br>
<br>
Any thoughts on what we could do?<br>
<br>
<br>
Thanks !<br>
--<br>
Felipe Braun Azambuja<br>
DBA<br>
Tecnologia da Informação e Comunicação<br>
(48) 3281 9577<br></div></div>
<a href="mailto:felipe.braun@intelbras.com.br" target="_blank">felipe.braun@intelbras.com.br</a> <mailto:<a href="mailto:felipe.braun@intelbras.com.br" target="_blank">felipe.braun@intelbras.com.br</a>><span class=""><br>
Esta mensagem, incluindo seus anexos, contém informações protegidas<br>
por lei, sujeitas a privilégios e/ou confidencialidades, não podendo<br>
ser retransmitida, arquivada, divulgada ou copiada sem autorização<br>
do remetente. O remetente utiliza o correio eletrônico no exercício<br>
do seu trabalho ou em razão dele, eximindo esta instituição de<br>
qualquer responsabilidade por utilização indevida. Caso tenha<br>
recebido esta mensagem por engano, por favor informe o remetente<br>
respondendo imediatamente a este e-mail, e em seguida apague-a do<br>
seu computador.<br>
<br>
The information contained in this e-mail and its attachments are<br>
protected by law, subjected to privilege and/or confidentiality and<br>
cannot be retransmitted, filed, disclosed or copied without<br>
authorization from the sender. The sender uses the electronic mail<br>
in the exercise of his/her work or by virtue thereof, and the<br>
institution accepts no liability from its undue use. If you have<br>
received this message by mistake, please notify us immediately by<br>
returning the e-mail and deleting this message from your system.<br>
<br>
_______________________________________________<br>
keycloak-user mailing list<br></span>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a> <mailto:<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
<br>
<br>
</blockquote><div class="HOEnZb"><div class="h5">
<br>
--<br>
Felipe Braun Azambuja<br>
DBA<br>
Tecnologia da Informação e Comunicação<br>
(48) 3281 9577<br>
<a href="mailto:felipe.braun@intelbras.com.br" target="_blank">felipe.braun@intelbras.com.br</a><br>
Esta mensagem, incluindo seus anexos, contém informações protegidas por lei, sujeitas a privilégios e/ou confidencialidades, não podendo ser retransmitida, arquivada, divulgada ou copiada sem autorização do remetente. O remetente utiliza o correio eletrônico no exercício do seu trabalho ou em razão dele, eximindo esta instituição de qualquer responsabilidade por utilização indevida. Caso tenha recebido esta mensagem por engano, por favor informe o remetente respondendo imediatamente a este e-mail, e em seguida apague-a do seu computador.<br>
<br>
The information contained in this e-mail and its attachments are protected by law, subjected to privilege and/or confidentiality and cannot be retransmitted, filed, disclosed or copied without authorization from the sender. The sender uses the electronic mail in the exercise of his/her work or by virtue thereof, and the institution accepts no liability from its undue use. If you have received this message by mistake, please notify us immediately by returning the e-mail and deleting this message from your system.<br>
</div></div></blockquote></div><br></div>