6:25 a.m.
Hi,
I would like to use the Full Name User Federation Mapper to set the CN attribute in Active
Directory from Keycloak. If I am not mistaken this is currently not possible in Keycloak
because on creation of the user the only thing that is available is the username and no
other user attributes (see UserFederationManager#addUser(RealmModel realm, String
username).
Since the CN is mandatory it needs to be set during creation of the user object in AD (and
in any LDAP server). With our current configuration with the Full Name mapper enabled and
configured to map to the CN attribute we cannot create users from Keycloak since the full
name (as well as the first and last name) and hence the CN are still empty on user
creation:
10:03:56,246 ERROR [org.keycloak.services.resources.ModelExceptionMapper] (default task-5)
Error creating subcontext [cn= ,ou=Customers,dc=hf,dc=info,dc=nl]:
org.keycloak.models.ModelException: Error creating subcontext [cn=
,ou=Customers,dc=hf,dc=info,dc=nl]
at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.createSubContext(LDAPOperationManager.java:425)
at
org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore.add(LDAPIdentityStore.java:75)
at org.keycloak.federation.ldap.LDAPUtils.addUserToLDAP(LDAPUtils.java:50)
at
org.keycloak.federation.ldap.LDAPFederationProvider.register(LDAPFederationProvider.java:154)
at
org.keycloak.models.UserFederationManager.registerWithFederation(UserFederationManager.java:56)
at
org.keycloak.models.UserFederationManager.addUser(UserFederationManager.java:48)
at
org.keycloak.services.resources.admin.UsersResource.createUser(UsersResource.java:190)
If I am not mistaken the way Keycloak creates users is by first creating an ‘empty’ user
with only the username set and after that the user is updated with all user attributes
like firstname, last name, email etc.
The only workaround we can find is to add an attribute mapper that maps the Keycloak
username field to the CN LDAP/AD attribute. This works ok but it different from how AD
treats the CN which is as the full name and not the user name.
Shall I create a JIRA issue for this?
cheers
6:38 a.m.
Yes, feel free to create JIRA for that.
You're right. There is limitation, that at registration time, just
username is available to LDAP federation provider. However it should be
possible to handle this in mapper. Either we can create new mapper or
add the option to current FullNameMapper, that it will use username as
fallback if fullname is not yet available. LDAP doesn't have issue with
renaming CN in later phase. This mapper shouldn't be hard to do,
hopefully I can do it even in 1.9 or 1.10 release (not like your
previous request for password history, which is a bit more tricky :) )
For Keycloak 2.X we plan some refactoring of federation SPI and user's
management. So hopefully we can handle it more properly and have all
attributes available even during federation registration.
Marek
On 27/01/16 13:25, Edgar Vonk - Info.nl wrote:
Hi,
I would like to use the Full Name User Federation Mapper to set the CN
attribute in Active Directory from Keycloak. If I am not mistaken this
is currently not possible in Keycloak because on creation of the user
the only thing that is available is the username and no other user
attributes (see UserFederationManager#addUser(RealmModel realm, String
username).
Since the CN is mandatory it needs to be set during creation of the
user object in AD (and in any LDAP server). With our current
configuration with the Full Name mapper enabled and configured to map
to the CN attribute we cannot create users from Keycloak since the
full name (as well as the first and last name) and hence the CN are
still empty on user creation:
10:03:56,246 ERROR
[org.keycloak.services.resources.ModelExceptionMapper] (default
task-5) Error creating subcontext [cn=
,ou=Customers,dc=hf,dc=info,dc=nl]:
org.keycloak.models.ModelException: Error creating subcontext [cn=
,ou=Customers,dc=hf,dc=info,dc=nl]
at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.createSubContext(LDAPOperationManager.java:425)
at
org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore.add(LDAPIdentityStore.java:75)
at org.keycloak.federation.ldap.LDAPUtils.addUserToLDAP(LDAPUtils.java:50)
at
org.keycloak.federation.ldap.LDAPFederationProvider.register(LDAPFederationProvider.java:154)
at
org.keycloak.models.UserFederationManager.registerWithFederation(UserFederationManager.java:56)
at
org.keycloak.models.UserFederationManager.addUser(UserFederationManager.java:48)
at
org.keycloak.services.resources.admin.UsersResource.createUser(UsersResource.java:190)
If I am not mistaken the way Keycloak creates users is by first
creating an ‘empty’ user with only the username set and after that the
user is updated with all user attributes like firstname, last name,
email etc.
The only workaround we can find is to add an attribute mapper that
maps the Keycloak username field to the CN LDAP/AD attribute. This
works ok but it different from how AD treats the CN which is as the
full name and not the user name.
Shall I create a JIRA issue for this?
cheers
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
6:45 a.m.
Ok will do. Thanks Marek!
Regarding my password policies/history issue: I was trying to make my it into a pull
request for you but I have not finished quite yet. Considering the upcoming refactoring I
now wonder if that would be worth the trouble at this stage? We are not in a big hurry
with this feature in any case.
cheers
On 27 Jan 2016, at 13:38, Marek Posolda
<mposolda@redhat.com<mailto:mposolda@redhat.com>> wrote:
Yes, feel free to create JIRA for that.
You're right. There is limitation, that at registration time, just username is
available to LDAP federation provider. However it should be possible to handle this in
mapper. Either we can create new mapper or add the option to current FullNameMapper, that
it will use username as fallback if fullname is not yet available. LDAP doesn't have
issue with renaming CN in later phase. This mapper shouldn't be hard to do, hopefully
I can do it even in 1.9 or 1.10 release (not like your previous request for password
history, which is a bit more tricky :) )
For Keycloak 2.X we plan some refactoring of federation SPI and user's management. So
hopefully we can handle it more properly and have all attributes available even during
federation registration.
Marek
On 27/01/16 13:25, Edgar Vonk - Info.nl<http://info.nl> wrote:
Hi,
I would like to use the Full Name User Federation Mapper to set the CN attribute in Active
Directory from Keycloak. If I am not mistaken this is currently not possible in Keycloak
because on creation of the user the only thing that is available is the username and no
other user attributes (see UserFederationManager#addUser(RealmModel realm, String
username).
Since the CN is mandatory it needs to be set during creation of the user object in AD (and
in any LDAP server). With our current configuration with the Full Name mapper enabled and
configured to map to the CN attribute we cannot create users from Keycloak since the full
name (as well as the first and last name) and hence the CN are still empty on user
creation:
10:03:56,246 ERROR [org.keycloak.services.resources.ModelExceptionMapper] (default task-5)
Error creating subcontext [cn= ,ou=Customers,dc=hf,dc=info,dc=nl]:
org.keycloak.models.ModelException: Error creating subcontext [cn=
,ou=Customers,dc=hf,dc=info,dc=nl]
at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.createSubContext(LDAPOperationManager.java:425)
at
org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore.add(LDAPIdentityStore.java:75)
at org.keycloak.federation.ldap.LDAPUtils.addUserToLDAP(LDAPUtils.java:50)
at
org.keycloak.federation.ldap.LDAPFederationProvider.register(LDAPFederationProvider.java:154)
at
org.keycloak.models.UserFederationManager.registerWithFederation(UserFederationManager.java:56)
at
org.keycloak.models.UserFederationManager.addUser(UserFederationManager.java:48)
at
org.keycloak.services.resources.admin.UsersResource.createUser(UsersResource.java:190)
If I am not mistaken the way Keycloak creates users is by first creating an ‘empty’ user
with only the username set and after that the user is updated with all user attributes
like firstname, last name, email etc.
The only workaround we can find is to add an attribute mapper that maps the Keycloak
username field to the CN LDAP/AD attribute. This works ok but it different from how AD
treats the CN which is as the full name and not the user name.
Shall I create a JIRA issue for this?
cheers
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
8:50 a.m.
If you're not in a hurry, it will be better to wait and put it into
Keycloak 2.X. Right now, we are around feature freeze for 1.X and the
MSAD password history support might mean a bit more refactoring and
change in more places. And right now, we don't have much time to
properly implement and test it due to other priority tasks TBH ;)
Marek
On 27/01/16 13:45, Edgar Vonk - Info.nl wrote:
Ok will do. Thanks Marek!
Regarding my password policies/history issue: I was trying to make my
it into a pull request for you but I have not finished quite yet.
Considering the upcoming refactoring I now wonder if that would be
worth the trouble at this stage? We are not in a big hurry with this
feature in any case.
cheers
> On 27 Jan 2016, at 13:38, Marek Posolda <mposolda(a)redhat.com
> <mailto:mposolda@redhat.com>> wrote:
>
> Yes, feel free to create JIRA for that.
>
> You're right. There is limitation, that at registration time, just
> username is available to LDAP federation provider. However it should
> be possible to handle this in mapper. Either we can create new mapper
> or add the option to current FullNameMapper, that it will use
> username as fallback if fullname is not yet available. LDAP doesn't
> have issue with renaming CN in later phase. This mapper shouldn't be
> hard to do, hopefully I can do it even in 1.9 or 1.10 release (not
> like your previous request for password history, which is a bit more
> tricky :) )
>
> For Keycloak 2.X we plan some refactoring of federation SPI and
> user's management. So hopefully we can handle it more properly and
> have all attributes available even during federation registration.
>
> Marek
>
>
> On 27/01/16 13:25, Edgar Vonk - Info.nl <http://info.nl> wrote:
>> Hi,
>>
>> I would like to use the Full Name User Federation Mapper to set the
>> CN attribute in Active Directory from Keycloak. If I am not mistaken
>> this is currently not possible in Keycloak because on creation of
>> the user the only thing that is available is the username and no
>> other user attributes (see UserFederationManager#addUser(RealmModel
>> realm, String username).
>>
>> Since the CN is mandatory it needs to be set during creation of the
>> user object in AD (and in any LDAP server). With our current
>> configuration with the Full Name mapper enabled and configured to
>> map to the CN attribute we cannot create users from Keycloak since
>> the full name (as well as the first and last name) and hence the CN
>> are still empty on user creation:
>>
>> 10:03:56,246 ERROR
>> [org.keycloak.services.resources.ModelExceptionMapper] (default
>> task-5) Error creating subcontext [cn=
>> ,ou=Customers,dc=hf,dc=info,dc=nl]:
>> org.keycloak.models.ModelException: Error creating subcontext [cn=
>> ,ou=Customers,dc=hf,dc=info,dc=nl]
>> at
>>
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.createSubContext(LDAPOperationManager.java:425)
>> at
>>
org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore.add(LDAPIdentityStore.java:75)
>> at
>> org.keycloak.federation.ldap.LDAPUtils.addUserToLDAP(LDAPUtils.java:50)
>> at
>>
org.keycloak.federation.ldap.LDAPFederationProvider.register(LDAPFederationProvider.java:154)
>> at
>>
org.keycloak.models.UserFederationManager.registerWithFederation(UserFederationManager.java:56)
>> at
>> org.keycloak.models.UserFederationManager.addUser(UserFederationManager.java:48)
>> at
>>
org.keycloak.services.resources.admin.UsersResource.createUser(UsersResource.java:190)
>>
>>
>>
>> If I am not mistaken the way Keycloak creates users is by first
>> creating an ‘empty’ user with only the username set and after that
>> the user is updated with all user attributes like firstname, last
>> name, email etc.
>>
>> The only workaround we can find is to add an attribute mapper that
>> maps the Keycloak username field to the CN LDAP/AD attribute. This
>> works ok but it different from how AD treats the CN which is as the
>> full name and not the user name.
>>
>> Shall I create a JIRA issue for this?
>>
>> cheers
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
3275
days inactive
3275
days old
3 comments
2 participants
participants (2)
-
Edgar Vonk - Info.nl -
Marek Posolda