If you're not in a hurry, it will be better to wait and put it into
Keycloak 2.X. Right now, we are around feature freeze for 1.X and the
MSAD password history support might mean a bit more refactoring and
change in more places. And right now, we don't have much time to
properly implement and test it due to other priority tasks TBH ;)
On 27/01/16 13:45, Edgar Vonk - Info.nl wrote:
Ok will do. Thanks Marek!
Regarding my password policies/history issue: I was trying to make my
it into a pull request for you but I have not finished quite yet.
Considering the upcoming refactoring I now wonder if that would be
worth the trouble at this stage? We are not in a big hurry with this
feature in any case.
> On 27 Jan 2016, at 13:38, Marek Posolda <mposolda(a)redhat.com
> <mailto:firstname.lastname@example.org>> wrote:
> Yes, feel free to create JIRA for that.
> You're right. There is limitation, that at registration time, just
> username is available to LDAP federation provider. However it should
> be possible to handle this in mapper. Either we can create new mapper
> or add the option to current FullNameMapper, that it will use
> username as fallback if fullname is not yet available. LDAP doesn't
> have issue with renaming CN in later phase. This mapper shouldn't be
> hard to do, hopefully I can do it even in 1.9 or 1.10 release (not
> like your previous request for password history, which is a bit more
> tricky :) )
> For Keycloak 2.X we plan some refactoring of federation SPI and
> user's management. So hopefully we can handle it more properly and
> have all attributes available even during federation registration.
> On 27/01/16 13:25, Edgar Vonk - Info.nl <http://info.nl>
>> I would like to use the Full Name User Federation Mapper to set the
>> CN attribute in Active Directory from Keycloak. If I am not mistaken
>> this is currently not possible in Keycloak because on creation of
>> the user the only thing that is available is the username and no
>> other user attributes (see UserFederationManager#addUser(RealmModel
>> realm, String username).
>> Since the CN is mandatory it needs to be set during creation of the
>> user object in AD (and in any LDAP server). With our current
>> configuration with the Full Name mapper enabled and configured to
>> map to the CN attribute we cannot create users from Keycloak since
>> the full name (as well as the first and last name) and hence the CN
>> are still empty on user creation:
>> 10:03:56,246 ERROR
>> [org.keycloak.services.resources.ModelExceptionMapper] (default
>> task-5) Error creating subcontext [cn=
>> org.keycloak.models.ModelException: Error creating subcontext [cn=
>> If I am not mistaken the way Keycloak creates users is by first
>> creating an ‘empty’ user with only the username set and after that
>> the user is updated with all user attributes like firstname, last
>> name, email etc.
>> The only workaround we can find is to add an attribute mapper that
>> maps the Keycloak username field to the CN LDAP/AD attribute. This
>> works ok but it different from how AD treats the CN which is as the
>> full name and not the user name.
>> Shall I create a JIRA issue for this?
>> keycloak-user mailing list