[keycloak-user] Having trouble with LDAP attribute mapping in 1.3.1

Marek Posolda mposolda at redhat.com
Fri Jun 19 05:15:54 EDT 2015

There are few steps here and the result will work only if all steps 
success. So it might help to try which step could be wrong here:

1) You can doublecheck if your user really has 'applications' attribute 

2) If (1) is ok, you can enable TRACE logging for 
"org.keycloak.federation.ldap" category in standalone.xml . With it, you 
should see some trace messages with the names and values of all LDAP 
attributes, which are loaded in user record. You should see the 
'applications' attribute loaded

3) If (2) is ok, you can browse keycloak database and check if attribute 
'applications' is really here. The user attributes are saved in table 
USER_ATTRIBUTES. Currently it's not possible to browse user attributes 
generically in admin console (unless you do custom theme) so browse DB 
seems to be the only possibility.

4) If (3) is ok, the issue is not in LDAP interaction, but in protocol 
mapper configuration. Make sure you use correct protocol mapper (In your 
case it should be "User attributes" mapper, not "User property" mapper). 
Also if your application is Java based, the value of 'applications' 
claim is saved in accessToken in 'otherClaims' map and can be retrieved 
with something like: accessToken.getOtherClaims().get("applications");


On 18.6.2015 17:50, Kevin Thorpe wrote:
> Thanks to the team for 1.3.1. We were eagerly waiting for that to add 
> LDAP attribute mappings which I see has now been done. Unfortunately I 
> can't seem to get it to work.
> I have added a user attribute mapper to my ldap federation. This maps 
> the LDAP atribute 'applications' which exists on my LDAP user record 
> to 'applications' in Keycloak.
> I have also added a user attribute token mapper to my Keycloak client 
> definition to map user attribute 'applications' to token claim 
> 'applications'. I've also asked to add to both id and access token.
> However this attribute is not present in either the ID or access token 
> when testing. Is there something I've missed?
> Something that may be an issue though is that I'm using a home written 
> openid-connect Lua client based on your javascript one. This uses the 
> endpoint /auth/realms/master/protocol/openid-connect/token. Is it that 
> the openid-connect endpoint doesn't support these attributes yet?
> *Kevin Thorpe
> *
> CTO, PI ltd
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150619/19688cf0/attachment.html 

More information about the keycloak-user mailing list