4:42 a.m.
Hi Marek, thanks for the quick reply.
1. I am definitely sure that the attributes I need are in the LDAP record.
2. adding trace to federation.ldap shows my mapped attributes being read
3. there is no USER_ATTRIBUTES table I'm assuming you meant USER_ATTRIBUTE
but it doesn't have my attributes.
it does have a reference to my LDAP_ID so i8t looks like it should be
here
MariaDB [keycloak]> select * from USER_ATTRIBUTE;
+---------+-------------------------------------+--------------------------------------+
| NAME | VALUE | USER_ID
|
+---------+-------------------------------------+--------------------------------------+
| LDAP_ID | 7fc89601-96e711e2-a5a7b2a9-738d4470 |
471f0b4f-cb7c-4610-b3d6-ddd3a18e9986 |
| LDAP_ID | 3245fc81-55c211e2-a5a7b2a9-738d4470 |
6d64f5a2-d356-4ab6-9b4d-3f89a3ee38c4 |
+---------+-------------------------------------+--------------------------------------+
thanks for your time on this
*Kevin Thorpe*
CTO
<https://www.p-i.net/> <https://twitter.com/@PI_150>
www.p-i.net | @PI_150 <https://twitter.com/@PI_150>
M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635
150 Buckingham Palace Road, London, SW1W 9TR, UK
_____________________________
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.
*"SAVE PAPER - THINK BEFORE YOU PRINT!" *
On 19 June 2015 at 10:15, Marek Posolda <mposolda(a)redhat.com> wrote:
There are few steps here and the result will work only if all steps
success. So it might help to try which step could be wrong here:
1) You can doublecheck if your user really has 'applications' attribute in
LDAP
2) If (1) is ok, you can enable TRACE logging for
"org.keycloak.federation.ldap" category in standalone.xml . With it, you
should see some trace messages with the names and values of all LDAP
attributes, which are loaded in user record. You should see the
'applications' attribute loaded
3) If (2) is ok, you can browse keycloak database and check if attribute
'applications' is really here. The user attributes are saved in table
USER_ATTRIBUTES. Currently it's not possible to browse user attributes
generically in admin console (unless you do custom theme) so browse DB
seems to be the only possibility.
4) If (3) is ok, the issue is not in LDAP interaction, but in protocol
mapper configuration. Make sure you use correct protocol mapper (In your
case it should be "User attributes" mapper, not "User property"
mapper).
Also if your application is Java based, the value of 'applications' claim
is saved in accessToken in 'otherClaims' map and can be retrieved with
something like: accessToken.getOtherClaims().get("applications");
Marek
On 18.6.2015 17:50, Kevin Thorpe wrote:
Thanks to the team for 1.3.1. We were eagerly waiting for that to add
LDAP attribute mappings which I see has now been done. Unfortunately I
can't seem to get it to work.
I have added a user attribute mapper to my ldap federation. This maps
the LDAP atribute 'applications' which exists on my LDAP user record to
'applications' in Keycloak.
I have also added a user attribute token mapper to my Keycloak client
definition to map user attribute 'applications' to token claim
'applications'. I've also asked to add to both id and access token.
However this attribute is not present in either the ID or access token
when testing. Is there something I've missed?
Something that may be an issue though is that I'm using a home written
openid-connect Lua client based on your javascript one. This uses the
endpoint /auth/realms/master/protocol/openid-connect/token. Is it that the
openid-connect endpoint doesn't support these attributes yet?
*Kevin Thorpe *
CTO, PI ltd
_______________________________________________
keycloak-user mailing
listkeycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
