You can do this already though. You need to setup like:
- LDAP federation provider must have edit mode UNSYNCED
- LDAP mapper for your attribute must have "readOnly" to "on" and
"alwaysReadValueFromLDAP" to "off". But this is default settings for
the
mapper for UNSYNCED edit mode anyway, so you don't need to explicitly
configure anything in the mapper (you can just doublecheck if mapper is
really set like this)
With setup like this, the attribute of user is read from LDAP during
initial import of user from LDAP. But when you change attribute to some
other value, the value is updated just to Keycloak DB (not to LDAP). And
for all next reads of user, keycloak will see the value from the DB (not
the one from LDAP).
Also you can add any new attribute to the user too. This will be always
saved to Keycloak DB and never to LDAP.
Marek
On 27/02/16 01:07, Bill Burke wrote:
You have to code it yourself. Not sure if our ldap adapter is
documented to do that or not.
On 2/26/2016 7:03 PM, Jason Axley wrote:
> Some Idm products provide a virtual-directory-like capability where
> you can manage derived attributes for users regardless of the origin
> data store. I could see it be advantageous to be able to layer
> metadata or other derived data on identities to make things easier to
> consume in downstream systems. Would that be feasible in Keycloak?
>
> -Jason
>
> From: <keycloak-user-bounces(a)lists.jboss.org> on behalf of Bill Burke
> <bburke(a)redhat.com <mailto:bburke@redhat.com>>
> Date: Friday, February 26, 2016 at 1:00 PM
> To: "keycloak-user(a)lists.jboss.org" <keycloak-user(a)lists.jboss.org
> <mailto:keycloak-user@lists.jboss.org>>
> Subject: Re: [keycloak-user] user Attribute error
>
> Why do you expect to be able to add an attribute on a read-only
> LDAP? I'm confused...
>
> On 2/26/2016 11:03 AM, Gerard Laissard wrote:
>>
>> Hi,
>>
>> I’m using user Federation LDAP. The LDAP is read-only.
>>
>> When I add a user Attribute, I get ‘Error! user is read-only!’
>>
>> How can I add specific user attributes?
>>
>> Thanks
>>
>> Gerard
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>>
keycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
> --
> Bill Burke
> JBoss, a division of Red Hat
>
http://bill.burkecentral.com
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user