12:12 p.m.
Hi,
Here is the scenario:
Java web application client registers users to local LDAP/DB and sets roles.
These users are periodically synced to Keycloak. Roles are also synced once
as it not changed more often.
So when a user registered in local LDAP via application, they are also
reflected in Keycloak but they can't access web application after login via
Keycloak.
The new users can access only after setting client roles manually.
What is the best option to automate this. Is there is any API to set client
roles?
If available, we can't write code to set role in registration method since
the users will be synced to Keycloak only on next sync. Then option is a
delayed call which first ensures that the user reached Keycloak DB and then
set role.
Please share your thoughts!
Thanks!
8:46 p.m.
I think admin-cli will help you regarding this but issue is documetation is
not that good.
On Thu, 17 May 2018, 22:43 valsaraj pv, <valsarajpv(a)gmail.com> wrote:
Hi,
Here is the scenario:
Java web application client registers users to local LDAP/DB and sets
roles.
These users are periodically synced to Keycloak. Roles are also synced once
as it not changed more often.
So when a user registered in local LDAP via application, they are also
reflected in Keycloak but they can't access web application after login via
Keycloak.
The new users can access only after setting client roles manually.
What is the best option to automate this. Is there is any API to set client
roles?
If available, we can't write code to set role in registration method since
the users will be synced to Keycloak only on next sync. Then option is a
delayed call which first ensures that the user reached Keycloak DB and then
set role.
Please share your thoughts!
Thanks!
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
10:20 p.m.
Do you have any links that will be helpful?
On Fri 18 May, 2018, 7:17 AM Subodh Joshi, <subodhcjoshi82(a)gmail.com> wrote:
I think admin-cli will help you regarding this but issue is
documetation
is not that good.
On Thu, 17 May 2018, 22:43 valsaraj pv, <valsarajpv(a)gmail.com> wrote:
> Hi,
>
> Here is the scenario:
> Java web application client registers users to local LDAP/DB and sets
> roles.
> These users are periodically synced to Keycloak. Roles are also synced
> once
> as it not changed more often.
> So when a user registered in local LDAP via application, they are also
> reflected in Keycloak but they can't access web application after login
> via
> Keycloak.
> The new users can access only after setting client roles manually.
> What is the best option to automate this. Is there is any API to set
> client
> roles?
> If available, we can't write code to set role in registration method since
> the users will be synced to Keycloak only on next sync. Then option is a
> delayed call which first ensures that the user reached Keycloak DB and
> then
> set role.
> Please share your thoughts!
>
> Thanks!
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
12:09 a.m.
You have to write script to run admin-cli commands
https://www.keycloak.org/docs/3.3/server_admin/topics/admin-cli.html
On Fri, May 18, 2018 at 8:50 AM valsaraj pv <valsarajpv(a)gmail.com> wrote:
Do you have any links that will be helpful?
On Fri 18 May, 2018, 7:17 AM Subodh Joshi, <subodhcjoshi82(a)gmail.com>
wrote:
> I think admin-cli will help you regarding this but issue is documetation
> is not that good.
>
> On Thu, 17 May 2018, 22:43 valsaraj pv, <valsarajpv(a)gmail.com> wrote:
>
>> Hi,
>>
>> Here is the scenario:
>> Java web application client registers users to local LDAP/DB and sets
>> roles.
>> These users are periodically synced to Keycloak. Roles are also synced
>> once
>> as it not changed more often.
>> So when a user registered in local LDAP via application, they are also
>> reflected in Keycloak but they can't access web application after login
>> via
>> Keycloak.
>> The new users can access only after setting client roles manually.
>> What is the best option to automate this. Is there is any API to set
>> client
>> roles?
>> If available, we can't write code to set role in registration method
>> since
>> the users will be synced to Keycloak only on next sync. Then option is a
>> delayed call which first ensures that the user reached Keycloak DB and
>> then
>> set role.
>> Please share your thoughts!
>>
>> Thanks!
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
--
Subodh Chandra Joshi
subodh1_joshi82(a)yahoo.co.in
http://www.trendsinnews.com
1:32 a.m.
Got this sample:
https://gist.github.com/thomasdarimont/c4e739c5a319cf78a4cff3b87173a84b
On Fri, May 18, 2018 at 10:39 AM, Subodh Joshi <subodhcjoshi82(a)gmail.com>
wrote:
You have to write script to run admin-cli commands
https://www.keycloak.org/docs/3.3/server_admin/topics/admin-cli.html
On Fri, May 18, 2018 at 8:50 AM valsaraj pv <valsarajpv(a)gmail.com> wrote:
> Do you have any links that will be helpful?
>
> On Fri 18 May, 2018, 7:17 AM Subodh Joshi, <subodhcjoshi82(a)gmail.com>
> wrote:
>
>> I think admin-cli will help you regarding this but issue is documetation
>> is not that good.
>>
>> On Thu, 17 May 2018, 22:43 valsaraj pv, <valsarajpv(a)gmail.com> wrote:
>>
>>> Hi,
>>>
>>> Here is the scenario:
>>> Java web application client registers users to local LDAP/DB and sets
>>> roles.
>>> These users are periodically synced to Keycloak. Roles are also synced
>>> once
>>> as it not changed more often.
>>> So when a user registered in local LDAP via application, they are also
>>> reflected in Keycloak but they can't access web application after login
>>> via
>>> Keycloak.
>>> The new users can access only after setting client roles manually.
>>> What is the best option to automate this. Is there is any API to set
>>> client
>>> roles?
>>> If available, we can't write code to set role in registration method
>>> since
>>> the users will be synced to Keycloak only on next sync. Then option is a
>>> delayed call which first ensures that the user reached Keycloak DB and
>>> then
>>> set role.
>>> Please share your thoughts!
>>>
>>> Thanks!
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
--
Subodh Chandra Joshi
subodh1_joshi82(a)yahoo.co.in
http://www.trendsinnews.com
--
Life is like this: "Just when we get all the answers of life.... God
changes the question paper....
Valsaraj Viswanathan
3:04 a.m.
Can't you just create 'role-ldap-mapper' in your ldap user federation so
it reflects your ldap roles to keycloak realm or client roles ?
Assuming that roles in your local LDAP are the same (name) than the one
you use in keycloak.
Le 18/05/2018 à 08:32, valsaraj pv a écrit :
Got this sample:
https://gist.github.com/thomasdarimont/c4e739c5a319cf78a4cff3b87173a84b
On Fri, May 18, 2018 at 10:39 AM, Subodh Joshi <subodhcjoshi82(a)gmail.com>
wrote:
> You have to write script to run admin-cli commands
> https://www.keycloak.org/docs/3.3/server_admin/topics/admin-cli.html
>
> On Fri, May 18, 2018 at 8:50 AM valsaraj pv <valsarajpv(a)gmail.com> wrote:
>
>> Do you have any links that will be helpful?
>>
>> On Fri 18 May, 2018, 7:17 AM Subodh Joshi, <subodhcjoshi82(a)gmail.com>
>> wrote:
>>
>>> I think admin-cli will help you regarding this but issue is documetation
>>> is not that good.
>>>
>>> On Thu, 17 May 2018, 22:43 valsaraj pv, <valsarajpv(a)gmail.com> wrote:
>>>
>>>> Hi,
>>>>
>>>> Here is the scenario:
>>>> Java web application client registers users to local LDAP/DB and sets
>>>> roles.
>>>> These users are periodically synced to Keycloak. Roles are also synced
>>>> once
>>>> as it not changed more often.
>>>> So when a user registered in local LDAP via application, they are also
>>>> reflected in Keycloak but they can't access web application after
login
>>>> via
>>>> Keycloak.
>>>> The new users can access only after setting client roles manually.
>>>> What is the best option to automate this. Is there is any API to set
>>>> client
>>>> roles?
>>>> If available, we can't write code to set role in registration method
>>>> since
>>>> the users will be synced to Keycloak only on next sync. Then option is a
>>>> delayed call which first ensures that the user reached Keycloak DB and
>>>> then
>>>> set role.
>>>> Please share your thoughts!
>>>>
>>>> Thanks!
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user(a)lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
> --
> Subodh Chandra Joshi
> subodh1_joshi82(a)yahoo.co.in
> http://www.trendsinnews.com
>
--
Raphaël HOAREAU | Support & Hosting Solutions Manager
raphael.hoareau(a)worteks.com
+33 7 72 37 59 82
Worteks | https://www.worteks.com
3:11 a.m.
Yes, 'role-ldap-mapper created & those roles appeared in Keyclock client
set in mapper. But these roles were not assigned to users. For that need to
open user from admin cosole & select client abd set client roles. I am
checking how to automate this.
On Fri, May 18, 2018 at 1:34 PM, Raphaël HOAREAU <raphoa(a)worteks.com> wrote:
Can't you just create 'role-ldap-mapper' in your ldap
user federation so
it reflects your ldap roles to keycloak realm or client roles ?
Assuming that roles in your local LDAP are the same (name) than the one
you use in keycloak.
Le 18/05/2018 à 08:32, valsaraj pv a écrit :
> Got this sample:
> https://gist.github.com/thomasdarimont/c4e739c5a319cf78a4cff3b87173a84b
>
> On Fri, May 18, 2018 at 10:39 AM, Subodh Joshi <subodhcjoshi82(a)gmail.com
>
> wrote:
>
>> You have to write script to run admin-cli commands
>> https://www.keycloak.org/docs/3.3/server_admin/topics/admin-cli.html
>>
>> On Fri, May 18, 2018 at 8:50 AM valsaraj pv <valsarajpv(a)gmail.com>
wrote:
>>
>>> Do you have any links that will be helpful?
>>>
>>> On Fri 18 May, 2018, 7:17 AM Subodh Joshi, <subodhcjoshi82(a)gmail.com>
>>> wrote:
>>>
>>>> I think admin-cli will help you regarding this but issue is
documetation
>>>> is not that good.
>>>>
>>>> On Thu, 17 May 2018, 22:43 valsaraj pv, <valsarajpv(a)gmail.com>
wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> Here is the scenario:
>>>>> Java web application client registers users to local LDAP/DB and
sets
>>>>> roles.
>>>>> These users are periodically synced to Keycloak. Roles are also
synced
>>>>> once
>>>>> as it not changed more often.
>>>>> So when a user registered in local LDAP via application, they are
also
>>>>> reflected in Keycloak but they can't access web application
after
login
>>>>> via
>>>>> Keycloak.
>>>>> The new users can access only after setting client roles manually.
>>>>> What is the best option to automate this. Is there is any API to
set
>>>>> client
>>>>> roles?
>>>>> If available, we can't write code to set role in registration
method
>>>>> since
>>>>> the users will be synced to Keycloak only on next sync. Then option
is a
>>>>> delayed call which first ensures that the user reached Keycloak DB
and
>>>>> then
>>>>> set role.
>>>>> Please share your thoughts!
>>>>>
>>>>> Thanks!
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user(a)lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>> --
>> Subodh Chandra Joshi
>> subodh1_joshi82(a)yahoo.co.in
>> http://www.trendsinnews.com
>>
>
>
--
Raphaël HOAREAU | Support & Hosting Solutions Manager
raphael.hoareau(a)worteks.com
+33 7 72 37 59 82
Worteks | https://www.worteks.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Life is like this: "Just when we get all the answers of life.... God
changes the question paper....
Valsaraj Viswanathan
5:17 a.m.
We used admin-cli in our project to make things automate some first time
system brought up,we create user/group/client/realm and map group with
user ,See if this will help you to automate your requirement.
https://mytechnicallife.quora.com/Keycloak-how-to-work-with-admin-cli
Thanks & regards
On Fri, May 18, 2018 at 1:42 PM valsaraj pv <valsarajpv(a)gmail.com> wrote:
Yes, 'role-ldap-mapper created & those roles appeared in
Keyclock client
set in mapper. But these roles were not assigned to users. For that need to
open user from admin cosole & select client abd set client roles. I am
checking how to automate this.
On Fri, May 18, 2018 at 1:34 PM, Raphaël HOAREAU <raphoa(a)worteks.com>
wrote:
> Can't you just create 'role-ldap-mapper' in your ldap user federation
so
> it reflects your ldap roles to keycloak realm or client roles ?
>
> Assuming that roles in your local LDAP are the same (name) than the one
> you use in keycloak.
>
>
> Le 18/05/2018 à 08:32, valsaraj pv a écrit :
> > Got this sample:
> >
https://gist.github.com/thomasdarimont/c4e739c5a319cf78a4cff3b87173a84b
> >
> > On Fri, May 18, 2018 at 10:39 AM, Subodh Joshi <
subodhcjoshi82(a)gmail.com
> >
> > wrote:
> >
> >> You have to write script to run admin-cli commands
> >> https://www.keycloak.org/docs/3.3/server_admin/topics/admin-cli.html
> >>
> >> On Fri, May 18, 2018 at 8:50 AM valsaraj pv <valsarajpv(a)gmail.com>
> wrote:
> >>
> >>> Do you have any links that will be helpful?
> >>>
> >>> On Fri 18 May, 2018, 7:17 AM Subodh Joshi,
<subodhcjoshi82(a)gmail.com
>
> >>> wrote:
> >>>
> >>>> I think admin-cli will help you regarding this but issue is
> documetation
> >>>> is not that good.
> >>>>
> >>>> On Thu, 17 May 2018, 22:43 valsaraj pv,
<valsarajpv(a)gmail.com>
wrote:
> >>>>
> >>>>> Hi,
> >>>>>
> >>>>> Here is the scenario:
> >>>>> Java web application client registers users to local LDAP/DB
and
sets
> >>>>> roles.
> >>>>> These users are periodically synced to Keycloak. Roles are
also
> synced
> >>>>> once
> >>>>> as it not changed more often.
> >>>>> So when a user registered in local LDAP via application, they
are
> also
> >>>>> reflected in Keycloak but they can't access web application
after
> login
> >>>>> via
> >>>>> Keycloak.
> >>>>> The new users can access only after setting client roles
manually.
> >>>>> What is the best option to automate this. Is there is any API
to
set
> >>>>> client
> >>>>> roles?
> >>>>> If available, we can't write code to set role in
registration
method
> >>>>> since
> >>>>> the users will be synced to Keycloak only on next sync. Then
option
> is a
> >>>>> delayed call which first ensures that the user reached Keycloak
DB
> and
> >>>>> then
> >>>>> set role.
> >>>>> Please share your thoughts!
> >>>>>
> >>>>> Thanks!
> >>>>> _______________________________________________
> >>>>> keycloak-user mailing list
> >>>>> keycloak-user(a)lists.jboss.org
> >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>>>
> >> --
> >> Subodh Chandra Joshi
> >> subodh1_joshi82(a)yahoo.co.in
> >> http://www.trendsinnews.com
> >>
> >
> >
> --
> Raphaël HOAREAU | Support & Hosting Solutions Manager
>
> raphael.hoareau(a)worteks.com
> +33 7 72 37 59 82
>
> Worteks | https://www.worteks.com
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Life is like this: "Just when we get all the answers of life.... God
changes the question paper....
Valsaraj Viswanathan
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Subodh Chandra Joshi
subodh1_joshi82(a)yahoo.co.in
http://www.trendsinnews.com
2:04 a.m.
That's strange. The role-kdap-mapper should ensure that roles from LDAP
are available in Keycloak and also that they are assigned to users in
Keycloak. So Keycloak should be able to see the role mappings based on
the role mappings in LDAP. It's just a matter of correct configuration.
You can take a look at "keycloak-examples" distribution and the example
"ldap" to see how to configure things.
Marek
On 18/05/18 10:11, valsaraj pv wrote:
Yes, 'role-ldap-mapper created & those roles appeared in
Keyclock client
set in mapper. But these roles were not assigned to users. For that need to
open user from admin cosole & select client abd set client roles. I am
checking how to automate this.
On Fri, May 18, 2018 at 1:34 PM, Raphaël HOAREAU <raphoa(a)worteks.com> wrote:
> Can't you just create 'role-ldap-mapper' in your ldap user federation so
> it reflects your ldap roles to keycloak realm or client roles ?
>
> Assuming that roles in your local LDAP are the same (name) than the one
> you use in keycloak.
>
>
> Le 18/05/2018 à 08:32, valsaraj pv a écrit :
>> Got this sample:
>> https://gist.github.com/thomasdarimont/c4e739c5a319cf78a4cff3b87173a84b
>>
>> On Fri, May 18, 2018 at 10:39 AM, Subodh Joshi <subodhcjoshi82(a)gmail.com
>>
>> wrote:
>>
>>> You have to write script to run admin-cli commands
>>> https://www.keycloak.org/docs/3.3/server_admin/topics/admin-cli.html
>>>
>>> On Fri, May 18, 2018 at 8:50 AM valsaraj pv <valsarajpv(a)gmail.com>
> wrote:
>>>> Do you have any links that will be helpful?
>>>>
>>>> On Fri 18 May, 2018, 7:17 AM Subodh Joshi,
<subodhcjoshi82(a)gmail.com>
>>>> wrote:
>>>>
>>>>> I think admin-cli will help you regarding this but issue is
> documetation
>>>>> is not that good.
>>>>>
>>>>> On Thu, 17 May 2018, 22:43 valsaraj pv, <valsarajpv(a)gmail.com>
wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> Here is the scenario:
>>>>>> Java web application client registers users to local LDAP/DB and
sets
>>>>>> roles.
>>>>>> These users are periodically synced to Keycloak. Roles are also
> synced
>>>>>> once
>>>>>> as it not changed more often.
>>>>>> So when a user registered in local LDAP via application, they
are
> also
>>>>>> reflected in Keycloak but they can't access web application
after
> login
>>>>>> via
>>>>>> Keycloak.
>>>>>> The new users can access only after setting client roles
manually.
>>>>>> What is the best option to automate this. Is there is any API to
set
>>>>>> client
>>>>>> roles?
>>>>>> If available, we can't write code to set role in registration
method
>>>>>> since
>>>>>> the users will be synced to Keycloak only on next sync. Then
option
> is a
>>>>>> delayed call which first ensures that the user reached Keycloak
DB
> and
>>>>>> then
>>>>>> set role.
>>>>>> Please share your thoughts!
>>>>>>
>>>>>> Thanks!
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user(a)lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>> --
>>> Subodh Chandra Joshi
>>> subodh1_joshi82(a)yahoo.co.in
>>> http://www.trendsinnews.com
>>>
>>
> --
> Raphaël HOAREAU | Support & Hosting Solutions Manager
>
> raphael.hoareau(a)worteks.com
> +33 7 72 37 59 82
>
> Worteks | https://www.worteks.com
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
2:49 a.m.
roles from LDAP are available in Keycloak - worked
they are assigned to users in Keycloak - I checked both realm roles &
client roles. But not shown when I opened the user in KC admin console.
I will check LDAP sample.
On Tue, May 22, 2018 at 12:34 PM, Marek Posolda <mposolda(a)redhat.com> wrote:
That's strange. The role-kdap-mapper should ensure that roles
from LDAP
are available in Keycloak and also that they are assigned to users in
Keycloak. So Keycloak should be able to see the role mappings based on the
role mappings in LDAP. It's just a matter of correct configuration. You can
take a look at "keycloak-examples" distribution and the example
"ldap" to
see how to configure things.
Marek
On 18/05/18 10:11, valsaraj pv wrote:
> Yes, 'role-ldap-mapper created & those roles appeared in Keyclock client
> set in mapper. But these roles were not assigned to users. For that need
> to
> open user from admin cosole & select client abd set client roles. I am
> checking how to automate this.
>
> On Fri, May 18, 2018 at 1:34 PM, Raphaël HOAREAU <raphoa(a)worteks.com>
> wrote:
>
> Can't you just create 'role-ldap-mapper' in your ldap user federation so
>> it reflects your ldap roles to keycloak realm or client roles ?
>>
>> Assuming that roles in your local LDAP are the same (name) than the one
>> you use in keycloak.
>>
>>
>> Le 18/05/2018 à 08:32, valsaraj pv a écrit :
>>
>>> Got this sample:
>>> https://gist.github.com/thomasdarimont/c4e739c5a319cf78a4cff3b87173a84b
>>>
>>> On Fri, May 18, 2018 at 10:39 AM, Subodh Joshi <
>>> subodhcjoshi82(a)gmail.com
>>>
>>> wrote:
>>>
>>> You have to write script to run admin-cli commands
>>>> https://www.keycloak.org/docs/3.3/server_admin/topics/admin-cli.html
>>>>
>>>> On Fri, May 18, 2018 at 8:50 AM valsaraj pv <valsarajpv(a)gmail.com>
>>>>
>>> wrote:
>>
>>> Do you have any links that will be helpful?
>>>>>
>>>>> On Fri 18 May, 2018, 7:17 AM Subodh Joshi,
<subodhcjoshi82(a)gmail.com>
>>>>> wrote:
>>>>>
>>>>> I think admin-cli will help you regarding this but issue is
>>>>>>
>>>>> documetation
>>
>>> is not that good.
>>>>>>
>>>>>> On Thu, 17 May 2018, 22:43 valsaraj pv,
<valsarajpv(a)gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>> Hi,
>>>>>>>
>>>>>>> Here is the scenario:
>>>>>>> Java web application client registers users to local LDAP/DB
and
>>>>>>> sets
>>>>>>> roles.
>>>>>>> These users are periodically synced to Keycloak. Roles are
also
>>>>>>>
>>>>>> synced
>>
>>> once
>>>>>>> as it not changed more often.
>>>>>>> So when a user registered in local LDAP via application, they
are
>>>>>>>
>>>>>> also
>>
>>> reflected in Keycloak but they can't access web application after
>>>>>>>
>>>>>> login
>>
>>> via
>>>>>>> Keycloak.
>>>>>>> The new users can access only after setting client roles
manually.
>>>>>>> What is the best option to automate this. Is there is any API
to set
>>>>>>> client
>>>>>>> roles?
>>>>>>> If available, we can't write code to set role in
registration method
>>>>>>> since
>>>>>>> the users will be synced to Keycloak only on next sync. Then
option
>>>>>>>
>>>>>> is a
>>
>>> delayed call which first ensures that the user reached Keycloak DB
>>>>>>>
>>>>>> and
>>
>>> then
>>>>>>> set role.
>>>>>>> Please share your thoughts!
>>>>>>>
>>>>>>> Thanks!
>>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing list
>>>>>>> keycloak-user(a)lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>
>>>>>>> --
>>>> Subodh Chandra Joshi
>>>> subodh1_joshi82(a)yahoo.co.in
>>>> http://www.trendsinnews.com
>>>>
>>>>
>>> --
>> Raphaël HOAREAU | Support & Hosting Solutions Manager
>>
>> raphael.hoareau(a)worteks.com
>> +33 7 72 37 59 82
>>
>> Worteks | https://www.worteks.com
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>
>
--
Life is like this: "Just when we get all the answers of life.... God
changes the question paper....
Valsaraj Viswanathan
4:05 a.m.
I checked configuration in LDAP sample:
{
"name" : "finance roles",
"federationMapperType" : "role-ldap-mapper",
"federationProviderDisplayName" : "ldap-apacheds",
"config" : {
"roles.dn" : "ou=FinanceRoles,dc=keycloak,dc=org",
"membership.ldap.attribute" : "member",
"role.name.ldap.attribute" : "cn",
"role.object.classes" : "groupOfNames",
"mode" : "LDAP_ONLY",
"use.realm.roles.mapping" : "false",
"client.id" : "finance"
}
}
Here is my config:
{
"id": "e0e3a3f6-986f-4352-9242-53fead7ec6b2",
"name": "app-groups",
"providerId": "role-ldap-mapper",
"subComponents": {},
"config": {
"mode": [
"IMPORT"
],
"membership.attribute.type": [
"DN"
],
"user.roles.retrieve.strategy": [
"LOAD_ROLES_BY_MEMBER_ATTRIBUTE"
],
"roles.dn": [
"ou=groups,dc=app,dc=com"
],
"membership.user.ldap.attribute": [
"uid"
],
"membership.ldap.attribute": [
"uniqueMember"
],
"role.name.ldap.attribute": [
"cn"
],
"memberof.ldap.attribute": [
"memberOf"
],
"use.realm.roles.mapping": [
"false"
],
"role.object.classes": [
"groupOfUniqueNames, top"
],
"client.id": [
"app"
]
}
}
This OpenLDAP to Keycloak sync roles configured. Please let me know if you
see anything wrong. I can see roles synced but for users, these roles not
associated if they are member of some ldap groups.
Here is a group sample:
cn
- appAdminConsole
objectClass
- groupOfUniqueNames
- top
uniqueMember
- uid=testuser,ou=people,dc=app,dc=com
The group appAdminConsole synced & shown under client roles but when I
open testuser, none of the roles are shown.
On Tue, May 22, 2018 at 1:19 PM, valsaraj pv <valsarajpv(a)gmail.com> wrote:
roles from LDAP are available in Keycloak - worked
they are assigned to users in Keycloak - I checked both realm roles &
client roles. But not shown when I opened the user in KC admin console.
I will check LDAP sample.
On Tue, May 22, 2018 at 12:34 PM, Marek Posolda <mposolda(a)redhat.com>
wrote:
> That's strange. The role-kdap-mapper should ensure that roles from LDAP
> are available in Keycloak and also that they are assigned to users in
> Keycloak. So Keycloak should be able to see the role mappings based on the
> role mappings in LDAP. It's just a matter of correct configuration. You can
> take a look at "keycloak-examples" distribution and the example
"ldap" to
> see how to configure things.
>
> Marek
>
>
> On 18/05/18 10:11, valsaraj pv wrote:
>
>> Yes, 'role-ldap-mapper created & those roles appeared in Keyclock
client
>> set in mapper. But these roles were not assigned to users. For that need
>> to
>> open user from admin cosole & select client abd set client roles. I am
>> checking how to automate this.
>>
>> On Fri, May 18, 2018 at 1:34 PM, Raphaël HOAREAU <raphoa(a)worteks.com>
>> wrote:
>>
>> Can't you just create 'role-ldap-mapper' in your ldap user federation
so
>>> it reflects your ldap roles to keycloak realm or client roles ?
>>>
>>> Assuming that roles in your local LDAP are the same (name) than the one
>>> you use in keycloak.
>>>
>>>
>>> Le 18/05/2018 à 08:32, valsaraj pv a écrit :
>>>
>>>> Got this sample:
>>>> https://gist.github.com/thomasdarimont/c4e739c5a319cf78a4cff
>>>> 3b87173a84b
>>>>
>>>> On Fri, May 18, 2018 at 10:39 AM, Subodh Joshi <
>>>> subodhcjoshi82(a)gmail.com
>>>>
>>>> wrote:
>>>>
>>>> You have to write script to run admin-cli commands
>>>>> https://www.keycloak.org/docs/3.3/server_admin/topics/admin-cli.html
>>>>>
>>>>> On Fri, May 18, 2018 at 8:50 AM valsaraj pv
<valsarajpv(a)gmail.com>
>>>>>
>>>> wrote:
>>>
>>>> Do you have any links that will be helpful?
>>>>>>
>>>>>> On Fri 18 May, 2018, 7:17 AM Subodh Joshi,
<subodhcjoshi82(a)gmail.com
>>>>>> >
>>>>>> wrote:
>>>>>>
>>>>>> I think admin-cli will help you regarding this but issue is
>>>>>>>
>>>>>> documetation
>>>
>>>> is not that good.
>>>>>>>
>>>>>>> On Thu, 17 May 2018, 22:43 valsaraj pv,
<valsarajpv(a)gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>> Hi,
>>>>>>>>
>>>>>>>> Here is the scenario:
>>>>>>>> Java web application client registers users to local
LDAP/DB and
>>>>>>>> sets
>>>>>>>> roles.
>>>>>>>> These users are periodically synced to Keycloak. Roles
are also
>>>>>>>>
>>>>>>> synced
>>>
>>>> once
>>>>>>>> as it not changed more often.
>>>>>>>> So when a user registered in local LDAP via application,
they are
>>>>>>>>
>>>>>>> also
>>>
>>>> reflected in Keycloak but they can't access web application after
>>>>>>>>
>>>>>>> login
>>>
>>>> via
>>>>>>>> Keycloak.
>>>>>>>> The new users can access only after setting client roles
manually.
>>>>>>>> What is the best option to automate this. Is there is any
API to
>>>>>>>> set
>>>>>>>> client
>>>>>>>> roles?
>>>>>>>> If available, we can't write code to set role in
registration
>>>>>>>> method
>>>>>>>> since
>>>>>>>> the users will be synced to Keycloak only on next sync.
Then option
>>>>>>>>
>>>>>>> is a
>>>
>>>> delayed call which first ensures that the user reached Keycloak DB
>>>>>>>>
>>>>>>> and
>>>
>>>> then
>>>>>>>> set role.
>>>>>>>> Please share your thoughts!
>>>>>>>>
>>>>>>>> Thanks!
>>>>>>>> _______________________________________________
>>>>>>>> keycloak-user mailing list
>>>>>>>> keycloak-user(a)lists.jboss.org
>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>
>>>>>>>> --
>>>>> Subodh Chandra Joshi
>>>>> subodh1_joshi82(a)yahoo.co.in
>>>>> http://www.trendsinnews.com
>>>>>
>>>>>
>>>> --
>>> Raphaël HOAREAU | Support & Hosting Solutions Manager
>>>
>>> raphael.hoareau(a)worteks.com
>>> +33 7 72 37 59 82
>>>
>>> Worteks | https://www.worteks.com
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>
>>
>
--
Life is like this: "Just when we get all the answers of life.... God
changes the question paper....
Valsaraj Viswanathan
--
Life is like this: "Just when we get all the answers of life.... God
changes the question paper....
Valsaraj Viswanathan
2424
days inactive
2429
days old
10 comments
4 participants
participants (4)
-
Marek Posolda -
Raphaël HOAREAU -
Subodh Joshi -
valsaraj pv