Yes, feel free to create
JIRA for that.
You're right. There is limitation, that at
registration time, just username is available to LDAP
federation provider. However it should be possible to
handle this in mapper. Either we can create new mapper
or add the option to current FullNameMapper, that it
will use username as fallback if fullname is not yet
available. LDAP doesn't have issue with renaming CN in
later phase. This mapper shouldn't be hard to do,
hopefully I can do it even in 1.9 or 1.10 release (not
like your previous request for password history, which
is a bit more tricky :) )
For Keycloak 2.X we plan some refactoring of
federation SPI and user's management. So hopefully we
can handle it more properly and have all attributes
available even during federation registration.
Marek
On 27/01/16 13:25, Edgar Vonk -
Info.nl wrote:
Hi,
I would like to use the Full Name User
Federation Mapper to set the CN attribute in Active
Directory from Keycloak. If I am not mistaken this
is currently not possible in Keycloak because on
creation of the user the only thing that is
available is the username and no other user
attributes (see
UserFederationManager#addUser(RealmModel realm,
String username).
Since the CN is mandatory it needs to be
set during creation of the user object in AD (and in
any LDAP server). With our current configuration
with the Full Name mapper enabled and configured to
map to the CN attribute we cannot create users from
Keycloak since the full name (as well as the first
and last name) and hence the CN are still empty on
user creation:
10:03:56,246 ERROR [org.keycloak.services.resources.ModelExceptionMapper] (default task-5) Error creating subcontext [cn= ,ou=Customers,dc=hf,dc=info,dc=nl]: org.keycloak.models.ModelException: Error creating subcontext [cn= ,ou=Customers,dc=hf,dc=info,dc=nl]
|
at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.createSubContext(LDAPOperationManager.java:425)
|
at org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore.add(LDAPIdentityStore.java:75)
|
at org.keycloak.federation.ldap.LDAPUtils.addUserToLDAP(LDAPUtils.java:50)
|
at org.keycloak.federation.ldap.LDAPFederationProvider.register(LDAPFederationProvider.java:154)
|
at org.keycloak.models.UserFederationManager.registerWithFederation(UserFederationManager.java:56)
|
at org.keycloak.models.UserFederationManager.addUser(UserFederationManager.java:48)
|
at org.keycloak.services.resources.admin.UsersResource.createUser(UsersResource.java:190)
|
If I am not mistaken the way Keycloak
creates users is by first creating an ‘empty’ user
with only the username set and after that the user
is updated with all user attributes like firstname,
last name, email etc.
The only workaround we can find is to
add an attribute mapper that maps the Keycloak
username field to the CN LDAP/AD attribute. This
works ok but it different from how AD treats the CN
which is as the full name and not the user name.
Shall I create a JIRA issue for this?
cheers
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user