Many thanks Marek!

By using: - LDAP federation provider with edit mode = UNSYNCED

A first test shows it works!

 

To be more precise my use case is:

Keycloak is the IDP for our products. Some customers have an LDAP, but their do not want we add our products(clients) roles/attributes in their LDAP.

 

We configured ‘LDAP Federation provider’ as read-only (+ edit mode=UNSYNCED)

We configured user/group/client with our specific products user roles+attributes.

On client mappers we map attributes we needs on tokens.

 

Gerard

 

 

From: keycloak-user-bounces@lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org] On Behalf Of Marek Posolda
Sent: lundi 29 février 2016 09:33
To: Bill Burke; Jason Axley; keycloak-user@lists.jboss.org
Subject: Re: [keycloak-user] user Attribute error

 

You can do this already though. You need to setup like:
- LDAP federation provider must have edit mode UNSYNCED
- LDAP mapper for your attribute must have "readOnly" to "on" and "alwaysReadValueFromLDAP" to "off". But this is default settings for the mapper for UNSYNCED edit mode anyway, so you don't need to explicitly configure anything in the mapper (you can just doublecheck if mapper is really set like this)

With setup like this, the attribute of user is read from LDAP during initial import of user from LDAP. But when you change attribute to some other value, the value is updated just to Keycloak DB (not to LDAP). And for all next reads of user, keycloak will see the value from the DB (not the one from LDAP).

Also you can add any new attribute to the user too. This will be always saved to Keycloak DB and never to LDAP.

Marek

On 27/02/16 01:07, Bill Burke wrote:

You have to code it yourself.  Not sure if our ldap adapter is documented to do that or not.

On 2/26/2016 7:03 PM, Jason Axley wrote:

Some Idm products provide a virtual-directory-like capability where you can manage derived attributes for users regardless of the origin data store.  I could see it be advantageous to be able to layer metadata or other derived data on identities to make things easier to consume in downstream systems.  Would that be feasible in Keycloak?

 

-Jason

 

From: <keycloak-user-bounces@lists.jboss.org> on behalf of Bill Burke <bburke@redhat.com>
Date: Friday, February 26, 2016 at 1:00 PM
To: "keycloak-user@lists.jboss.org" <keycloak-user@lists.jboss.org>
Subject: Re: [keycloak-user] user Attribute error

 

Why do you expect to be able to add an attribute on a read-only LDAP?  I'm confused...

On 2/26/2016 11:03 AM, Gerard Laissard wrote:

Hi,

 

I’m using user Federation LDAP. The LDAP is read-only.

When I add a user Attribute, I get ‘Error! user is read-only!’

 

How can I add specific user attributes?

 

Thanks

Gerard




_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user



-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com



-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com




_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user