[keycloak-dev] Support for LDAP referrals

Marek Posolda mposolda at redhat.com
Thu May 19 15:54:31 EDT 2016 

LDAP referrals were not yet tested and supported, could you please 
create JIRA for this?

Thanks,
Marek

On 18/05/16 05:37, Mitya wrote:
> Hi,
>
> In replicated LDAP setups, it's a common situation where the slave is 
> read-only, and if a write operation is attempted, it returns a 
> so-called referral (see more here 
> <http://docs.oracle.com/javase/jndi/tutorial/ldap/referral/jndi.html>). Simply 
> put, a referral is an instruction to proceed with the same LDAP 
> operation but using different URL, contained within response. In a 
> replicated setup, this URL would point to master instance, which is 
> read-write.
>
> Currently, KeyCloak cannot use such a slave replica as a federation 
> provider in a WRITABLE edit mode. LDAP entries are imported 
> successfully; but further attempts to modify them in KeyCloak admin 
> console give success message, while the actual values are not 
> modified. If Sync Registrations is on, attempt to create a user 
> results in the following exception:
>
> javax.naming.PartialResultException: [LDAP: error code 10 - Referral]; remaining name 'uid=foo,ou=People,dc=foobar,dc=com'
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2971)
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888)
> at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:812)
> at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:341)
> at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:268)
> at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:256)
> at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:197)
> at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:197)
> at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$7.execute(LDAPOperationManager.java:434)
> at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$7.execute(LDAPOperationManager.java:431)
> at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:536)
> at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.createSubContext(LDAPOperationManager.java:431)
> LDAP referrals are fully supported by JNDI and LDAP stack; the only 
> thing we need is to set a Context.REFERRAL ("java.naming.referral") 
> environment property to "follow" before creating an 
> InitialLdapContext. I've noticed that in 
> org.keycloak.federation.ldap.LDAPConfig, there is an initial support 
> for additional connection properties (currently hardcoded to return 
> null). Are there any plans to implement this?
>
> Cheers,
> Mitya
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160519/09abe4c4/attachment.html

More information about the keycloak-dev mailing list