Hi,
In replicated LDAP setups, it's a common situation where the slave is
read-only, and if a write operation is attempted, it returns a so-
called referral (see more here). Simply put, a referral is an
instruction to proceed with the same LDAP operation but using different
URL, contained within response. In a replicated setup, this URL would
point to master instance, which is read-write.
Currently, KeyCloak cannot use such a slave replica as a federation
provider in a WRITABLE edit mode. LDAP entries are imported
successfully; but further attempts to modify them in KeyCloak admin
console give success message, while the actual values are not modified.
If Sync Registrations is on, attempt to create a user results in the
following exception:
javax.naming.PartialResultException: [LDAP: error code 10 - Referral];
remaining name 'uid=foo,ou=People,dc=foobar,dc=com'
at
com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2971)
at
com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888)
at
com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:812)
at
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(Compone
ntDirContext.java:341)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(Pa
rtialCompositeDirContext.java:268)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(Pa
rtialCompositeDirContext.java:256)
at
javax.naming.directory.InitialDirContext.createSubcontext(InitialDirCon
text.java:197)
at
javax.naming.directory.InitialDirContext.createSubcontext(InitialDirCon
text.java:197)
at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$7.exec
ute(LDAPOperationManager.java:434)
at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$7.exec
ute(LDAPOperationManager.java:431)
at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.execut
e(LDAPOperationManager.java:536)
at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.create
SubContext(LDAPOperationManager.java:431)
LDAP referrals are fully supported by JNDI and LDAP stack; the only
thing we need is to set a Context.REFERRAL ("java.naming.referral")
environment property to "follow" before creating an InitialLdapContext.
I've noticed that in org.keycloak.federation.ldap.LDAPConfig, there is
an initial support for additional connection properties (currently
hardcoded to return null). Are there any plans to implement this?
Cheers,
Mitya