Yes, feel free to create JIRA for that.
You're right. There is limitation, that at registration time, just
username is available to LDAP federation provider. However it
should be possible to handle this in mapper. Either we can create
new mapper or add the option to current FullNameMapper, that it
will use username as fallback if fullname is not yet available.
LDAP doesn't have issue with renaming CN in later phase. This
mapper shouldn't be hard to do, hopefully I can do it even in 1.9
or 1.10 release (not like your previous request for password
history, which is a bit more tricky :) )
For Keycloak 2.X we plan some refactoring of federation SPI and
user's management. So hopefully we can handle it more properly and
have all attributes available even during federation registration.
On 27/01/16 13:25, Edgar Vonk - Info.nl wrote:
I would like to use the Full Name User Federation
Mapper to set the CN attribute in Active Directory from
Keycloak. If I am not mistaken this is currently not possible in
Keycloak because on creation of the user the only thing that is
available is the username and no other user attributes (see
UserFederationManager#addUser(RealmModel realm, String
Since the CN is mandatory it needs to be set during
creation of the user object in AD (and in any LDAP server).
With our current configuration with the Full Name mapper
enabled and configured to map to the CN attribute we cannot
create users from Keycloak since the full name (as well as the
first and last name) and hence the CN are still empty on user
10:03:56,246 ERROR [org.keycloak.services.resources.ModelExceptionMapper] (default task-5) Error creating subcontext [cn= ,ou=Customers,dc=hf,dc=info,dc=nl]: org.keycloak.models.ModelException: Error creating subcontext [cn= ,ou=Customers,dc=hf,dc=info,dc=nl]
If I am not mistaken the way Keycloak creates users
is by first creating an ‘empty’ user with only the username set
and after that the user is updated with all user attributes like
firstname, last name, email etc.
The only workaround we can find is to add an
attribute mapper that maps the Keycloak username field to the CN
LDAP/AD attribute. This works ok but it different from how AD
treats the CN which is as the full name and not the user name.
Shall I create a JIRA issue for this?
keycloak-user mailing list