[keycloak-dev] LDAP Federation & Subject ID's
Marek Posolda
mposolda at redhat.com
Thu Jun 21 08:30:52 EDT 2018
On 20/06/18 13:04, gambol wrote:
> Hiya
>
> One of our projects is looking to tie Knox and Keycloak together; with some
> documentation here
> https://community.hortonworks.com/articles/196751/knox-accept-third-party-jwt.html.
> At the moment the users are being federated to an ldap user store.
>
> The issue at the moment is the subject ID, they would like this mapped
> 'uid' attribute to the user representation in ldap, is this simply a matter
> of changing the 'UUID LDAP attribute' .. They did try and they started
> getting errors logging in, I'm guessing this was perhaps due to changing
> the mapping once users had already been imported? ...
Yes, exactly. I think it should be fine to configure "UUID LDAP
Attribute" to the value "uid" , but if you already have some users
imported from LDAP and then you change configuration later, strange
things can happen. It seems we should document this limitation a bit more...
One thing why "UUID LDAP Attribute" is not "uid" by default is, that
"uid" can't be guaranteed to be 100% unique and it can happen that it's
different user in some cases. For example scenario like:
- User john is in LDAP "uid=john,dc=example,dc=com"
- User john was unregistered from app and hence deleted from the LDAP
- After some time, there is another user "john", who wants to register.
He will be registered in LDAP with same uid like previous user. So
"uid=john,dc=example,dc=com" . At this point, Keycloak won't be able to
differentiate that 1st john and 2nd john is different user in case that
"UUID LDAP Attribute" is mapped to "uid" .
If you're fine with this limitation, it should be ok
Marek
>
> Alas, I don't have access to components myself, so acting as a middle man
> at the moment
>
> Rohith
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
More information about the keycloak-dev
mailing list