[keycloak-dev] Support for LDAP referrals
Marek Posolda
mposolda at redhat.com
Thu May 19 15:54:31 EDT 2016
LDAP referrals were not yet tested and supported, could you please
create JIRA for this?
Thanks,
Marek
On 18/05/16 05:37, Mitya wrote:
> Hi,
>
> In replicated LDAP setups, it's a common situation where the slave is
> read-only, and if a write operation is attempted, it returns a
> so-called referral (see more here
> <http://docs.oracle.com/javase/jndi/tutorial/ldap/referral/jndi.html>). Simply
> put, a referral is an instruction to proceed with the same LDAP
> operation but using different URL, contained within response. In a
> replicated setup, this URL would point to master instance, which is
> read-write.
>
> Currently, KeyCloak cannot use such a slave replica as a federation
> provider in a WRITABLE edit mode. LDAP entries are imported
> successfully; but further attempts to modify them in KeyCloak admin
> console give success message, while the actual values are not
> modified. If Sync Registrations is on, attempt to create a user
> results in the following exception:
>
> javax.naming.PartialResultException: [LDAP: error code 10 - Referral]; remaining name 'uid=foo,ou=People,dc=foobar,dc=com'
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2971)
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888)
> at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:812)
> at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:341)
> at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:268)
> at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:256)
> at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:197)
> at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:197)
> at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$7.execute(LDAPOperationManager.java:434)
> at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$7.execute(LDAPOperationManager.java:431)
> at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:536)
> at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.createSubContext(LDAPOperationManager.java:431)
> LDAP referrals are fully supported by JNDI and LDAP stack; the only
> thing we need is to set a Context.REFERRAL ("java.naming.referral")
> environment property to "follow" before creating an
> InitialLdapContext. I've noticed that in
> org.keycloak.federation.ldap.LDAPConfig, there is an initial support
> for additional connection properties (currently hardcoded to return
> null). Are there any plans to implement this?
>
> Cheers,
> Mitya
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160519/09abe4c4/attachment.html
More information about the keycloak-dev
mailing list