Hi,
I have User Federation to connect with our Azure AD through LDAP. When I have the default
value ‘objectGUID’ for UUID LDAP attribute property it processed correctly and in
LDAP_ID user attribute I can see correct UUID formate.
Though, if user UUID provided not in ‘objectGUID’ but in ‘msDS-AzureADObjectId’
LDAP-attribute it doesn’t work. In this case, when I set ‘msDS-AzureADObjectId’ value
into UUID LDAP attribute property I get incorrect string value in LDAP_ID.
It looks like KC can correctly process UUID only if it comes in ‘objectGUID’ attribute. In
other cases, we get an incorrect result.
So, the problem in org/keycloak/storage/ldap/idm/store/ldap/LDAPOperationManager.java:675
where KC has hardcode action for ‘objectGUID’ value and other fields processed as a
plain string. Also, ‘objectGUID’ always gets from LDAP as a binary field
but ‘msDS-AzureADObjectId’ doesn't and I need to create user-attribute-ldap-mapper to
mark this attribute as binary.
The way I fixed it locally:
* create user-attribute-ldap-mapper for ‘msDS-AzureADObjectId’ LDAP-attribute + mark this
attribute as binary.
* set UUID LDAP attribute property to ‘msDS-AzureADObjectId’
* fix condition
from org/keycloak/storage/ldap/idm/store/ldap/LDAPOperationManager.java:675 to
if (this.config.isActiveDirectory() && entryUUID instanceof byte[])
Is it a bug and can we expect a fix in future versions of KC?
-------
Regards
Alina Gromova