LDAP referrals were not yet tested and
supported, could you please create JIRA for this?
Thanks,
Marek
On 18/05/16 05:37, Mitya wrote:
Hi,
In replicated LDAP setups, it's a common situation where the
slave is read-only, and if a write operation is attempted, it
returns a so-called referral (see more
here).
Simply put, a referral is an instruction to proceed with the
same LDAP operation but using different URL, contained within
response. In a replicated setup, this URL would point to master
instance, which is read-write.
Currently, KeyCloak cannot use such a slave replica as a
federation provider in a WRITABLE edit mode. LDAP entries are
imported successfully; but further attempts to modify them in
KeyCloak admin console give success message, while the actual
values are not modified. If Sync Registrations is on, attempt to
create a user results in the following exception:
javax.naming.PartialResultException: [LDAP: error code 10 - Referral]; remaining name 'uid=foo,ou=People,dc=foobar,dc=com'
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2971)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888)
at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:812)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:341)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:268)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:256)
at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:197)
at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:197)
at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$7.execute(LDAPOperationManager.java:434)
at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$7.execute(LDAPOperationManager.java:431)
at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:536)
at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.createSubContext(LDAPOperationManager.java:431)
LDAP referrals are fully supported by JNDI and LDAP stack;
the only thing we need is to set a Context.REFERRAL
("java.naming.referral") environment property to "follow" before
creating an InitialLdapContext. I've noticed that in
org.keycloak.federation.ldap.LDAPConfig, there is an initial
support for additional connection properties (currently
hardcoded to return null). Are there any plans to implement
this?
Cheers,
Mitya
_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev