[keycloak-dev] LDAP Federation & Subject ID's

[Marek Posolda]

On 20/06/18 13:04, gambol wrote:
> Hiya
>
> One of our projects is looking to tie Knox and Keycloak together; with some
> documentation here
> https://community.hortonworks.com/articles/196751/knox-accept-third-party-jwt.html.
> At the moment the users are being federated to an ldap user store.
>
> The issue at the moment is the subject ID, they would like this mapped
> 'uid' attribute to the user representation in ldap, is this simply a matter
> of changing the 'UUID LDAP attribute' .. They did try and they started
> getting errors logging in, I'm guessing this was perhaps due to changing
> the mapping once users had already been imported? ...
Yes, exactly. I think it should be fine to configure "UUID LDAP 
Attribute" to the value "uid" , but if you already have some users 
imported from LDAP and then you change configuration later, strange 
things can happen. It seems we should document this limitation a bit more...

One thing why "UUID LDAP Attribute" is not "uid" by default is, that 
"uid" can't be guaranteed to be 100% unique and it can happen that it's 
different user in some cases. For example scenario like:
- User john is in LDAP "uid=john,dc=example,dc=com"
- User john was unregistered from app and hence deleted from the LDAP
- After some time, there is another user "john", who wants to register. 
He will be registered in LDAP with same uid like previous user. So 
"uid=john,dc=example,dc=com" . At this point, Keycloak won't be able to 
differentiate that 1st john and 2nd john is different user in case that 
"UUID LDAP Attribute" is mapped to "uid" .

If you're fine with this limitation, it should be ok

Marek
>
> Alas, I don't have access to components myself, so acting as a middle man
> at the moment
>
> Rohith
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev