[keycloak-dev] Remaining work for 1.1.0.Final

Bill Burke bburke at redhat.com
Wed Dec 17 08:01:20 EST 2014



On 12/17/2014 3:11 AM, Stian Thorgersen wrote:
>> Yeah, that should work well. Tricky thing is how to configure it in
>> admin console? Right now we have 'ldap' federation provider, which
>> allows to configure ldap settings and this is the provider, which
>> delegates to picketlink. So possible solution is:
>>
>> 1) Add another provider in admin console. So they will be both 'ldap'
>> and 'picketlink' providers available. In the screen for 'ldap' provider,
>> people can configure LDAP like it's now. In the screen for 'picketlink'
>> provider, people can configure just JNDI URL from where they can
>> retrieve PartitionManager from picketlink subsystem. Implementation
>> wise, we can have 2 implementations of UserFederationProviderFactory,
>> which will differ just in the detail on how to retrieve PartitionManager
>> -
>> https://github.com/keycloak/keycloak/blob/master/federation/ldap/src/main/java/org/keycloak/federation/ldap/LDAPFederationProviderFactory.java#L46
>> .
>> The 'ldap' impl can call:
>> session.getProvider(PartitionManagerProvider.class, 'ldap') to retrieve
>> LDAPPartitionManagerProvider.
>> The 'picketlink' impl can call:
>> session.getProvider(PartitionManagerProvider.class, 'picketlink') to
>> retrieve SubsystemPartitionManagerProvider (or
>> PicketlinkPartitionManagerProvider ?), which will retrieve
>> PartitionManager from configured JNDI URL.
>>
>> 2) Have single impl of UserFederationProvider and in admin console,
>> there may be checkbox. If checked, people can configure JNDI URL. If not
>> checked, people can configure LDAP like it's now.
>>
>> I like (1) more. Solution (2) make it a bit harder to enable LDAP
>> integration. Better ideas?
>
> Hm.... I don't like either of those, but don't have any better ideas :/
>

If the PL IDM API user is using the default PL IDM API security model, 
then we can write something generic and plug it in via a JNDI reference 
(1).  I don't understand why you are against this Stian.  Its just PL 
IDM API integration.

I don't like #2 at all.  Users should have no knowledge of PL IDM API 
when using our default LDAP provider.  My hope is that our LDAP provider 
becomes sophisticated enough that the user never needs to see any code 
even for the most complex LDAP deployments.


-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-dev mailing list