9:33 a.m.
Hey all!
one of my customers wants to implement user federation with eDirectory as LDAP server in
place. Everything works fine as long as "Import users" is deactivated.
When activating the import, users can no longer be imported. The import fails with the
exception shown in https://issues.jboss.org/browse/KEYCLOAK-10942 when "UUID LDAP
attribute" is set to "guid".
The exception seems to come from incorrect parsing of the guid attribute in LDAP. The guid
attribute in eDirectory is binary, but is not parsed as such.
I have prepared a PR https://github.com/keycloak/keycloak/pull/6251 to fix this.
However, I am unsure about the current state of support for eDirectory. I have seen these
PRs and tickets which indicate eDirectory is supported:
* https://github.com/keycloak/keycloak/pull/1154
* https://lists.jboss.org/pipermail/keycloak-user/2015-April/002023.html
I can also choose "Novell eDirectory" from the Vendor list, so I assume it is
supported.
In contrast I see tickets like this one, where it states that it isn't supported.
* https://issues.jboss.org/browse/KEYCLOAK-3099 (btw: that seems to be the same issue
as described in KEYCLOAK-10942)
And there has been a discussion around a similar (the same?) issue, years ago:
https://lists.jboss.org/pipermail/keycloak-user/2016-November/008428.html
Can anyone please clarify on the current state of eDirectory support and whether my fix
has a chance be released?
Regards
Sven-Torben
--
Sven-Torben Janus
Senior Software Architect (Dipl.-Inf.), iSAQB® CPSA-A
Conciso GmbH | Westfalendamm 251 | 44141 Dortmund
E sven-torben.janus(a)conciso.de
W https://conciso.de
Rechtlicher Hinweis/Legal notice:
Sitz der Gesellschaft/Registered Office: Dortmund
Amtsgericht/Trade Register: Dortmund, HRB 28364
Geschäftsführer/Managing Directors: Sebastian Neus, Dr. Georg Pietrek, Jens Trompeter
10:02 a.m.
Hi,
sorry for late response.
On 30. 08. 19 16:33, Sven-Torben Janus wrote:
Hey all!
one of my customers wants to implement user federation with eDirectory as LDAP server in
place. Everything works fine as long as "Import users" is deactivated.
When activating the import, users can no longer be imported. The import fails with the
exception shown in https://issues.jboss.org/browse/KEYCLOAK-10942 when "UUID LDAP
attribute" is set to "guid".
The exception seems to come from incorrect parsing of the guid attribute in LDAP. The
guid attribute in eDirectory is binary, but is not parsed as such.
I have prepared a PR https://github.com/keycloak/keycloak/pull/6251 to fix this.
Thanks for the PR. Added comment to your PR, but hopefully we can have
it in.
However, I am unsure about the current state of support for eDirectory. I have seen these
PRs and tickets which indicate eDirectory is supported:
* https://github.com/keycloak/keycloak/pull/1154
* https://lists.jboss.org/pipermail/keycloak-user/2015-April/002023.html
I can also choose "Novell eDirectory" from the Vendor list, so I assume it is
supported.
In contrast I see tickets like this one, where it states that it isn't supported.
* https://issues.jboss.org/browse/KEYCLOAK-3099 (btw: that seems to be the same
issue as described in KEYCLOAK-10942)
And there has been a discussion around a similar (the same?) issue, years ago:
https://lists.jboss.org/pipermail/keycloak-user/2016-November/008428.html
Can anyone please clarify on the current state of eDirectory support and whether my fix
has a chance be released?
Keycloak team doesn't test with Novell eDirectory and doesn't officially
support it. It was community contribution. As such, it is not maintained
by Keycloak team and supporting is community "best-effort" . I am even
thinking about removing that vendor from the list to make it more clear
that it is not officially supported. Thanks for fixing the eDirectory
and hope we can have your PR in when it is 100% sure it doesn't break
MSAD (which is far more important for Keycloak than novell eDirectory TBH).
Marek
Regards
Sven-Torben
--
Sven-Torben Janus
Senior Software Architect (Dipl.-Inf.), iSAQB® CPSA-A
Conciso GmbH | Westfalendamm 251 | 44141 Dortmund
E sven-torben.janus(a)conciso.de
W https://conciso.de
Rechtlicher Hinweis/Legal notice:
Sitz der Gesellschaft/Registered Office: Dortmund
Amtsgericht/Trade Register: Dortmund, HRB 28364
Geschäftsführer/Managing Directors: Sebastian Neus, Dr. Georg Pietrek, Jens Trompeter
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
12:53 a.m.
Hey Marek,
I incorporated your remarks and updated the PR.
I am quite sure that it does not break MSAD. However, do we need to consider backwards
compatibility for existing Keycloak instances with eDirectory connectivity?
Best regards
Sven-Torben
On 17. Sep 2019, at 17:02, Marek Posolda <mposolda(a)redhat.com>
wrote:
Hi,
sorry for late response.
> On 30. 08. 19 16:33, Sven-Torben Janus wrote:
> Hey all!
>
> one of my customers wants to implement user federation with eDirectory as LDAP server
in place. Everything works fine as long as "Import users" is deactivated.
> When activating the import, users can no longer be imported. The import fails with
the exception shown in https://issues.jboss.org/browse/KEYCLOAK-10942 when "UUID LDAP
attribute" is set to "guid".
> The exception seems to come from incorrect parsing of the guid attribute in LDAP. The
guid attribute in eDirectory is binary, but is not parsed as such.
>
> I have prepared a PR https://github.com/keycloak/keycloak/pull/6251 to fix this.
Thanks for the PR. Added comment to your PR, but hopefully we can have it in.
>
> However, I am unsure about the current state of support for eDirectory. I have seen
these PRs and tickets which indicate eDirectory is supported:
>
> * https://github.com/keycloak/keycloak/pull/1154
> * https://lists.jboss.org/pipermail/keycloak-user/2015-April/002023.html
> I can also choose "Novell eDirectory" from the Vendor list, so I assume it
is supported.
>
> In contrast I see tickets like this one, where it states that it isn't
supported.
>
> * https://issues.jboss.org/browse/KEYCLOAK-3099 (btw: that seems to be the same
issue as described in KEYCLOAK-10942)
>
> And there has been a discussion around a similar (the same?) issue, years ago:
https://lists.jboss.org/pipermail/keycloak-user/2016-November/008428.html
>
> Can anyone please clarify on the current state of eDirectory support and whether my
fix has a chance be released?
Keycloak team doesn't test with Novell eDirectory and doesn't officially support
it. It was community contribution. As such, it is not maintained by Keycloak team and
supporting is community "best-effort" . I am even thinking about removing that
vendor from the list to make it more clear that it is not officially supported. Thanks for
fixing the eDirectory and hope we can have your PR in when it is 100% sure it doesn't
break MSAD (which is far more important for Keycloak than novell eDirectory TBH).
Marek
>
> Regards
> Sven-Torben
>
> --
> Sven-Torben Janus
> Senior Software Architect (Dipl.-Inf.), iSAQB® CPSA-A
>
> Conciso GmbH | Westfalendamm 251 | 44141 Dortmund
>
> E sven-torben.janus(a)conciso.de
> W https://conciso.de
>
>
> Rechtlicher Hinweis/Legal notice:
>
> Sitz der Gesellschaft/Registered Office: Dortmund
> Amtsgericht/Trade Register: Dortmund, HRB 28364
> Geschäftsführer/Managing Directors: Sebastian Neus, Dr. Georg Pietrek, Jens
Trompeter
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
2:55 a.m.
On 18. 09. 19 7:53, Sven-Torben Janus wrote:
Hey Marek,
I incorporated your remarks and updated the PR.
I've merged the PR, Thanks!
I am quite sure that it does not break MSAD. However, do we need to consider backwards
compatibility for existing Keycloak instances with eDirectory connectivity?
I think your PR didn't break backwards compatibility as the GUID parsing
just didn't work before. If someone used different UUID attribute, which
is not mapped to binary attribute (EG. uid), things won't be changed for
him anyway and will still work. If there is still something broken for
someone, he can report it and we can fix later. TBH we don't care much
about novell eDirectory anyway, so doesn't worth to introduce some new
switches or code complexity just to be 1000% sure that nothing was
broken for older eDirectory.
Thanks,
Marek
Best regards
Sven-Torben
> On 17. Sep 2019, at 17:02, Marek Posolda <mposolda(a)redhat.com> wrote:
>
> Hi,
>
> sorry for late response.
>> On 30. 08. 19 16:33, Sven-Torben Janus wrote:
>> Hey all!
>>
>> one of my customers wants to implement user federation with eDirectory as LDAP
server in place. Everything works fine as long as "Import users" is
deactivated.
>> When activating the import, users can no longer be imported. The import fails
with the exception shown in https://issues.jboss.org/browse/KEYCLOAK-10942 when "UUID
LDAP attribute" is set to "guid".
>> The exception seems to come from incorrect parsing of the guid attribute in LDAP.
The guid attribute in eDirectory is binary, but is not parsed as such.
>>
>> I have prepared a PR https://github.com/keycloak/keycloak/pull/6251 to fix this.
> Thanks for the PR. Added comment to your PR, but hopefully we can have it in.
>> However, I am unsure about the current state of support for eDirectory. I have
seen these PRs and tickets which indicate eDirectory is supported:
>>
>> * https://github.com/keycloak/keycloak/pull/1154
>> * https://lists.jboss.org/pipermail/keycloak-user/2015-April/002023.html
>> I can also choose "Novell eDirectory" from the Vendor list, so I assume
it is supported.
>>
>> In contrast I see tickets like this one, where it states that it isn't
supported.
>>
>> * https://issues.jboss.org/browse/KEYCLOAK-3099 (btw: that seems to be the
same issue as described in KEYCLOAK-10942)
>>
>> And there has been a discussion around a similar (the same?) issue, years ago:
https://lists.jboss.org/pipermail/keycloak-user/2016-November/008428.html
>>
>> Can anyone please clarify on the current state of eDirectory support and whether
my fix has a chance be released?
> Keycloak team doesn't test with Novell eDirectory and doesn't officially
support it. It was community contribution. As such, it is not maintained by Keycloak team
and supporting is community "best-effort" . I am even thinking about removing
that vendor from the list to make it more clear that it is not officially supported.
Thanks for fixing the eDirectory and hope we can have your PR in when it is 100% sure it
doesn't break MSAD (which is far more important for Keycloak than novell eDirectory
TBH).
>
> Marek
>
>> Regards
>> Sven-Torben
>>
>> --
>> Sven-Torben Janus
>> Senior Software Architect (Dipl.-Inf.), iSAQB® CPSA-A
>>
>> Conciso GmbH | Westfalendamm 251 | 44141 Dortmund
>>
>> E sven-torben.janus(a)conciso.de
>> W https://conciso.de
>>
>>
>> Rechtlicher Hinweis/Legal notice:
>>
>> Sitz der Gesellschaft/Registered Office: Dortmund
>> Amtsgericht/Trade Register: Dortmund, HRB 28364
>> Geschäftsführer/Managing Directors: Sebastian Neus, Dr. Georg Pietrek, Jens
Trompeter
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
1926
days inactive
1945
days old
3 comments
2 participants
participants (2)
-
Marek Posolda -
Sven-Torben Janus