Hi,


On 04/11/15 19:58, Giovanni Baruzzi wrote:
Dear all,


at the moment using the LDAP Identity federation we can map a role to the membership to a group.

We are using instead of the groupMembership the „menberOf“ approach, dedicating an attribute to list the values of the roles owned by the user.

AFAIK memberOf is just read-only mirror of "member" attribute where "member" is writable and it's available on the group (roles) objects when memberOf is mirrored on users. At least it works this way on the Active Directory and some other LDAP servers too. Or doesn't it work on your LDAP server and you are not seeing "member" attribute on groups?

Our RoleLDAPFederationMapper implementation is using "member" attribute approach because "member" attribute is writable and it's sufficient to achieve to all of CRUD user role mappings operations.

At this moment, the only reason when I can see the advantage of "memberOf" is better performance in read-only LDAP servers as you need to query just user object to receive both it's attributes and role mappings in single step. Is this the reason why you want it or do you have other reason?
How would you suggest the implementation of this requirement?
Can you imagine a way to implement it using the planned customised filter?
Should we go for a custom federation provider?
There are 2 steps to achieve it.

1) You can use existing "User attribute" mapper to map "memberOf" attribute to some attribute in user model. This way the "memberOf" will be queried from LDAP and saved into Keycloak DB as part of the user record. You can check in admin console (tab "Attributes" of user) if the memberOf was successfully returned

2) Then you may need to implement custom LDAPFederationMapper, which will return proxy user object and you override some methods of this proxy ( getRoleMappings , hasRole, maybe getRealmRoleMappings and getClientRoleMappings) to return the roles based on the "memberOf" attribute, which is available on UserModel thanks to previous step. See existing RoleLDAPFederationMapper for inspiration.

So you don't need custom federation provider, but just custom federation mapper.

I wonder if we should support "memberOf" in Keycloak OOTB. I am curious about your reasons to use it in prefer to "member" .

Marek

thank you for your answers,
Giovanni


_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user