Re: [keycloak-user] Users (related to LDAP) are gone when I change the username

Yes, I was wondering that maybe you will see some error like this. And +1 to set some other non-changeable attribute as "uid" . I am sure that it's doable with custom LDAP mapper, which will add the value just during the registration time, but not update it later. Maybe the best is to use just the first part of the "initial" email as username. Something like: - User registers with john123(a)email.com - Mapper will extract, just the first part of the email, so "john123" and use it as RDN of LDAP. So user in LDAP will be saved like "uid=john123,cn=users,dc=example,dc=com" - When email is changed to &quot;john123-updated(a)email.cz&quot; <john123-updated(a)email.cz&gt;, the UID will remain unchanged and will be still "uid=john123,cn=users,dc=example,dc=com" Maybe timestamp is useful as well, not sure. Marek Dne 11.10.2017 v 00:14 Celso Agra napsal(a): I configured "mail" as "Username LDAP Attribute" and "uid" as "RDN LDAP Attribute" and set some configs on LDAP Mapper. but I got an error: Could not create user: org.keycloak.models.ModelException: RDN Attribute [uid] is not filled. Filled attributes: {mail=[], cn=[ ], sn=[ ], createTimestamp=[], modifyTimestamp=[]} maybe, change username could be a bad practice. Could be better if I set a special number on username, such as timestamp. This could solve my issue Thanks Marek 2017-10-10 9:08 GMT-03:00 Marek Posolda <mposolda(a)redhat.com&gt;: > Thanks. > > I see it probably doesn't work as you have email as username and "uid" is > used as both username attribute and RDN attribute. When you're changing > email of user in Keycloak, it is trying to change "uid" in LDAP, but that's > not allowed. > > I can imagine that things might work if you configure "mail" as "Username > LDAP Attribute" and "uid" as "RDN LDAP Attribute", but you probably need to > do some tricks with mappers and maybe implement your own LDAP mapper. If > you don't manage to have this working, feel free to create JIRA. > > Marek > > > > On 09/10/17 18:54, Celso Agra wrote: > > Thanks for your answer, Marek! > > Here is some of my configs. In addition, I put the same values to > username and e-mail. > > Here is my User Representation: > >> UserRepresentation user = new UserRepresentation(); >> user.setUsername(email); >> user.setFirstName(firstName; >> user.setLastName(lastName); >> user.setEnabled(true); >> user.setEmail(email); > > > Best regards, > > Celso Agra > > > 2017-10-09 10:37 GMT-03:00 Marek Posolda <mposolda(a)redhat.com&gt;: > >> We didn't try to test this use-case though. But it may work as long as >> things are configured correctly. Maybe I would re-create the LDAP provider >> with the "Username LDAP attribute" be set to "mail", but the "RDN LDAP >> Attribute" to "uid" . Is this the configuration you're using? >> >> If things still doesn't work, you can possibly create JIRA . Ideally >> with the details of the configuration of your LDAP provider, realm (whether >> 'username as email' is enabled etc) and how LDAP users looks like and how >> you expect them to look like after. >> >> Regards, >> Marek >> >> >> On 04/10/17 15:45, Celso Agra wrote: >> >>> Hi all, >>> >>> I'm getting a strange behavior. >>> >>> My LDAP (openldap) is configured as writable in my User Federation. So, >>> I >>> can create user from my Keycloak, but when I change the username, the >>> user >>> disappear from my user's list. >>> >>> I check the LDAP and the user still there, with the 'old' username. So, >>> is >>> there some way to change the username without disappear from the >>> keycloak >>> user's list? >>> >>> This occurs because in my case, username as the same of email. So, If >>> the >>> user changes email, I have to change the username also. >>> >>> I'm using version 3.0.0.Final >>> >>> >>> Best regards >>> >> >> >> > > > -- > --- > *Celso Agra* > > > -- --- *Celso Agra*