Many thanks Marek!
By using: - LDAP federation provider with edit mode = UNSYNCED
A first test shows it works!
To be more precise my use case is:
Keycloak is the IDP for our products. Some customers have an LDAP, but their do not want we add our products(clients) roles/attributes in their LDAP.
We configured ‘LDAP Federation provider’ as read-only (+ edit mode=UNSYNCED)
We configured user/group/client with our specific products user roles+attributes.
On client mappers we map attributes we needs on tokens.
Gerard
From: keycloak-user-bounces@lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org]
On Behalf Of Marek Posolda
Sent: lundi 29 février 2016 09:33
To: Bill Burke; Jason Axley; keycloak-user@lists.jboss.org
Subject: Re: [keycloak-user] user Attribute error
You can do this already though. You need to setup like:
- LDAP federation provider must have edit mode UNSYNCED
- LDAP mapper for your attribute must have "readOnly" to "on" and "alwaysReadValueFromLDAP" to "off". But this is default settings for the mapper for UNSYNCED edit mode anyway, so you don't need to explicitly configure anything in the mapper (you can just doublecheck
if mapper is really set like this)
With setup like this, the attribute of user is read from LDAP during initial import of user from LDAP. But when you change attribute to some other value, the value is updated just to Keycloak DB (not to LDAP). And for all next reads of user, keycloak will see
the value from the DB (not the one from LDAP).
Also you can add any new attribute to the user too. This will be always saved to Keycloak DB and never to LDAP.
Marek
On 27/02/16 01:07, Bill Burke wrote: