[keycloak-user] LDAP Role Mapping after the "memberOf" style
Marek Posolda
mposolda at redhat.com
Thu Nov 5 03:39:21 EST 2015
Hi,
On 04/11/15 19:58, Giovanni Baruzzi wrote:
> Dear all,
>
>
> at the moment using the LDAP Identity federation we can map a role to
> the membership to a group.
>
> We are using instead of the groupMembership the „menberOf“ approach,
> dedicating an attribute to list the values of the roles owned by the user.
AFAIK memberOf is just read-only mirror of "member" attribute where
"member" is writable and it's available on the group (roles) objects
when memberOf is mirrored on users. At least it works this way on the
Active Directory and some other LDAP servers too. Or doesn't it work on
your LDAP server and you are not seeing "member" attribute on groups?
Our RoleLDAPFederationMapper implementation is using "member" attribute
approach because "member" attribute is writable and it's sufficient to
achieve to all of CRUD user role mappings operations.
At this moment, the only reason when I can see the advantage of
"memberOf" is better performance in read-only LDAP servers as you need
to query just user object to receive both it's attributes and role
mappings in single step. Is this the reason why you want it or do you
have other reason?
> How would you suggest the implementation of this requirement?
> Can you imagine a way to implement it using the planned customised filter?
> Should we go for a custom federation provider?
There are 2 steps to achieve it.
1) You can use existing "User attribute" mapper to map "memberOf"
attribute to some attribute in user model. This way the "memberOf" will
be queried from LDAP and saved into Keycloak DB as part of the user
record. You can check in admin console (tab "Attributes" of user) if the
memberOf was successfully returned
2) Then you may need to implement custom LDAPFederationMapper, which
will return proxy user object and you override some methods of this
proxy ( getRoleMappings , hasRole, maybe getRealmRoleMappings and
getClientRoleMappings) to return the roles based on the "memberOf"
attribute, which is available on UserModel thanks to previous step. See
existing RoleLDAPFederationMapper for inspiration.
So you don't need custom federation provider, but just custom federation
mapper.
I wonder if we should support "memberOf" in Keycloak OOTB. I am curious
about your reasons to use it in prefer to "member" .
Marek
>
> thank you for your answers,
> Giovanni
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151105/d84c320b/attachment.html
More information about the keycloak-user
mailing list