There is no built-in support for this. However you can achieve it by doing any of: a) Map the LDAP_ENTRY_DN as attribute in your token and then have some logic in your application (or whenever it is needed) that will just parse name of the OU from the full DN. b) Create the custom LDAP mapper, which will do the above. Then it will be available in user attributes c) Create protocol mapper, which will do the above. User attribute will still contain just LDAP_ENTRY_DN, but you will have claim in the token with the value of your OU. I would personally go with (a) and handle it in your app if possible. That's the easiest path IMO. Marek On 30/03/17 20:20, Celso Agra wrote: > Hi all, > > I'd like to retrieve the organizational unit (ou) from LDAP Mapper and set > this in the User Attributes. > > When I get a user from LDAP, it set an attribute called LDAP_ENTRY_DN, > with > value : "uid=xxxxxx,ou=group,dc=dom3,dc=dom2,dc=dom1" > > So, I'd like to retrieve just the ou info "group", and set this to the > user > attribute. > Would be possible to do that? Is there some mapper type just to retrieve > this information? > > Best Regards, > >

Maybe this class could help me to create a new Mapper: https://github.com/keycloak/keycloak/blob/94afba91a0d3f51021e036796c5367 47cc33796e/federation/ldap/src/main/java/org/keycloak/ storage/ldap/mappers/UserAttributeLDAPStorageMapper.java 2017-03-30 21:31 GMT-03:00 Celso Agra <celso.agra(a)gmail.com&gt;: > Thanks Marek! For now, I'm using the (a) option! > > But I think would be possible to implement an LDAP Mapper in the future. > just to get the "ou" info. > I'll take a look in the code and try to add a new Mapper Type. > > Thanks again! This is a really great tool! > > 2017-03-30 16:33 GMT-03:00 Marek Posolda <mposolda(a)redhat.com&gt;: > >> There is no built-in support for this. However you can achieve it by >> doing any of: >> >> a) Map the LDAP_ENTRY_DN as attribute in your token and then have some >> logic in your application (or whenever it is needed) that will just parse >> name of the OU from the full DN. >> b) Create the custom LDAP mapper, which will do the above. Then it will >> be available in user attributes >> c) Create protocol mapper, which will do the above. User attribute will >> still contain just LDAP_ENTRY_DN, but you will have claim in the token with >> the value of your OU. >> >> I would personally go with (a) and handle it in your app if possible. >> That's the easiest path IMO. >> >> Marek >> >> >> On 30/03/17 20:20, Celso Agra wrote: >> >>> Hi all, >>> >>> I'd like to retrieve the organizational unit (ou) from LDAP Mapper and >>> set >>> this in the User Attributes. >>> >>> When I get a user from LDAP, it set an attribute called LDAP_ENTRY_DN, >>> with >>> value : "uid=xxxxxx,ou=group,dc=dom3,dc=dom2,dc=dom1" >>> >>> So, I'd like to retrieve just the ou info "group", and set this to the >>> user >>> attribute. >>> Would be possible to do that? Is there some mapper type just to retrieve >>> this information? >>> >>> Best Regards, >>> >>> >> > > > -- > --- > *Celso Agra* > -- --- *Celso Agra*

Yes, I would likely create subclass of this one and override some method, so the attribute value is just your ou and not full DN. Just a note that LDAP Mapper SPI is unsupported and some method signatures can change in the future etc. Marek On 31/03/17 02:44, Celso Agra wrote: Maybe this class could help me to create a new Mapper: https://github.com/keycloak/keycloak/blob/94afba91a0d3f51021e036796c5367 47cc33796e/federation/ldap/src/main/java/org/keycloak/ storage/ldap/mappers/UserAttributeLDAPStorageMapper.java 2017-03-30 21:31 GMT-03:00 Celso Agra <celso.agra(a)gmail.com&gt;: > Thanks Marek! For now, I'm using the (a) option! > > But I think would be possible to implement an LDAP Mapper in the future. > just to get the "ou" info. > I'll take a look in the code and try to add a new Mapper Type. > > Thanks again! This is a really great tool! > > 2017-03-30 16:33 GMT-03:00 Marek Posolda <mposolda(a)redhat.com&gt;: > >> There is no built-in support for this. However you can achieve it by >> doing any of: >> >> a) Map the LDAP_ENTRY_DN as attribute in your token and then have some >> logic in your application (or whenever it is needed) that will just parse >> name of the OU from the full DN. >> b) Create the custom LDAP mapper, which will do the above. Then it will >> be available in user attributes >> c) Create protocol mapper, which will do the above. User attribute will >> still contain just LDAP_ENTRY_DN, but you will have claim in the token with >> the value of your OU. >> >> I would personally go with (a) and handle it in your app if possible. >> That's the easiest path IMO. >> >> Marek >> >> >> On 30/03/17 20:20, Celso Agra wrote: >> >>> Hi all, >>> >>> I'd like to retrieve the organizational unit (ou) from LDAP Mapper and >>> set >>> this in the User Attributes. >>> >>> When I get a user from LDAP, it set an attribute called LDAP_ENTRY_DN, >>> with >>> value : "uid=xxxxxx,ou=group,dc=dom3,dc=dom2,dc=dom1" >>> >>> So, I'd like to retrieve just the ou info "group", and set this to the >>> user >>> attribute. >>> Would be possible to do that? Is there some mapper type just to retrieve >>> this information? >>> >>> Best Regards, >>> >>> >> > > > -- > --- > *Celso Agra* > -- --- *Celso Agra*

Hi, it looks that new option "Read from base DN" is not needed as LDAP vendors usually has attribute with DN available on the LDAP object. For MSAD it is "distinguishedName" attribute, for some others like OpenLDAP it is "entryDN" . So you can just configure OOTB UserAttribute mapper with this attribute mapped? TBH this usecase seems to be quite specific for your needs, so not sure if it's good to have this OOTB as every feature and new option adds some complexity. Idea is that people can use OOTB mappers for the more common functionalities and create their own mapper if they need something advanced and domain specific. And this looks to me like the second case TBH. At least never saw anyone else asking for this. Marek On 31/03/17 12:35, Celso Agra wrote: I was thinking to create a PR for class UserAttributeLDAPStorageMapper =. would be possible to do that? I created a fork for that --> https://github.com/ keycloak/keycloak/compare/3.0.x...celsoagra:master and here i the attached file with an idea (just a simple idea!! ). 2017-03-31 3:44 GMT-03:00 Marek Posolda <mposolda(a)redhat.com&gt;: > Yes, I would likely create subclass of this one and override some method, > so the attribute value is just your ou and not full DN. Just a note that > LDAP Mapper SPI is unsupported and some method signatures can change in the > future etc. > > Marek > > > On 31/03/17 02:44, Celso Agra wrote: > > Maybe this class could help me to create a new Mapper: > > https://github.com/keycloak/keycloak/blob/94afba91a0d3f51021 > e036796c536747cc33796e/federation/ldap/src/main/java/ > org/keycloak/storage/ldap/mappers/UserAttributeLDAPStorageMapper.java > > 2017-03-30 21:31 GMT-03:00 Celso Agra <celso.agra(a)gmail.com&gt;: > >> Thanks Marek! For now, I'm using the (a) option! >> >> But I think would be possible to implement an LDAP Mapper in the future. >> just to get the "ou" info. >> I'll take a look in the code and try to add a new Mapper Type. >> >> Thanks again! This is a really great tool! >> >> 2017-03-30 16:33 GMT-03:00 Marek Posolda <mposolda(a)redhat.com&gt;: >> >>> There is no built-in support for this. However you can achieve it by >>> doing any of: >>> >>> a) Map the LDAP_ENTRY_DN as attribute in your token and then have some >>> logic in your application (or whenever it is needed) that will just parse >>> name of the OU from the full DN. >>> b) Create the custom LDAP mapper, which will do the above. Then it will >>> be available in user attributes >>> c) Create protocol mapper, which will do the above. User attribute will >>> still contain just LDAP_ENTRY_DN, but you will have claim in the token with >>> the value of your OU. >>> >>> I would personally go with (a) and handle it in your app if possible. >>> That's the easiest path IMO. >>> >>> Marek >>> >>> >>> On 30/03/17 20:20, Celso Agra wrote: >>> >>>> Hi all, >>>> >>>> I'd like to retrieve the organizational unit (ou) from LDAP Mapper and >>>> set >>>> this in the User Attributes. >>>> >>>> When I get a user from LDAP, it set an attribute called LDAP_ENTRY_DN, >>>> with >>>> value : "uid=xxxxxx,ou=group,dc=dom3,dc=dom2,dc=dom1" >>>> >>>> So, I'd like to retrieve just the ou info "group", and set this to the >>>> user >>>> attribute. >>>> Would be possible to do that? Is there some mapper type just to >>>> retrieve >>>> this information? >>>> >>>> Best Regards, >>>> >>>> >>> >> >> >> -- >> --- >> *Celso Agra* >> > > > > -- > --- > *Celso Agra* > > > -- --- *Celso Agra*