Hi,
On 04/11/15 19:58, Giovanni Baruzzi wrote:
Dear
all,
at the
moment using the LDAP Identity federation we can map a role to
the membership to a group.
We are
using instead of the groupMembership the „menberOf“ approach,
dedicating an attribute to list the values of the roles owned
by the user.
AFAIK memberOf is just read-only mirror of "member" attribute where
"member" is writable and it's available on the group (roles) objects
when memberOf is mirrored on users. At least it works this way on
the Active Directory and some other LDAP servers too. Or doesn't it
work on your LDAP server and you are not seeing "member" attribute
on groups?
Our RoleLDAPFederationMapper implementation is using "member"
attribute approach because "member" attribute is writable and it's
sufficient to achieve to all of CRUD user role mappings operations.
At this moment, the only reason when I can see the advantage of
"memberOf" is better performance in read-only LDAP servers as you
need to query just user object to receive both it's attributes and
role mappings in single step. Is this the reason why you want it or
do you have other reason?
How
would you suggest the implementation of this requirement?
Can you
imagine a way to implement it using the planned customised
filter?
Should we
go for a custom federation provider?
There are 2 steps to achieve it.
1) You can use existing "User attribute" mapper to map "memberOf"
attribute to some attribute in user model. This way the "memberOf"
will be queried from LDAP and saved into Keycloak DB as part of the
user record. You can check in admin console (tab "Attributes" of
user) if the memberOf was successfully returned
2) Then you may need to implement custom LDAPFederationMapper, which
will return proxy user object and you override some methods of this
proxy ( getRoleMappings , hasRole, maybe getRealmRoleMappings and
getClientRoleMappings) to return the roles based on the "memberOf"
attribute, which is available on UserModel thanks to previous step.
See existing RoleLDAPFederationMapper for inspiration.
So you don't need custom federation provider, but just custom
federation mapper.
I wonder if we should support "memberOf" in Keycloak OOTB. I am
curious about your reasons to use it in prefer to "member" .
Marek
thank you
for your answers,
Giovanni
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user