[keycloak-user] user Attribute error
Gerard Laissard
glaissard at axway.com
Mon Feb 29 05:04:34 EST 2016
Many thanks Marek!
By using: - LDAP federation provider with edit mode = UNSYNCED
A first test shows it works!
To be more precise my use case is:
Keycloak is the IDP for our products. Some customers have an LDAP, but their do not want we add our products(clients) roles/attributes in their LDAP.
We configured 'LDAP Federation provider' as read-only (+ edit mode=UNSYNCED)
We configured user/group/client with our specific products user roles+attributes.
On client mappers we map attributes we needs on tokens.
Gerard
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Marek Posolda
Sent: lundi 29 février 2016 09:33
To: Bill Burke; Jason Axley; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] user Attribute error
You can do this already though. You need to setup like:
- LDAP federation provider must have edit mode UNSYNCED
- LDAP mapper for your attribute must have "readOnly" to "on" and "alwaysReadValueFromLDAP" to "off". But this is default settings for the mapper for UNSYNCED edit mode anyway, so you don't need to explicitly configure anything in the mapper (you can just doublecheck if mapper is really set like this)
With setup like this, the attribute of user is read from LDAP during initial import of user from LDAP. But when you change attribute to some other value, the value is updated just to Keycloak DB (not to LDAP). And for all next reads of user, keycloak will see the value from the DB (not the one from LDAP).
Also you can add any new attribute to the user too. This will be always saved to Keycloak DB and never to LDAP.
Marek
On 27/02/16 01:07, Bill Burke wrote:
You have to code it yourself. Not sure if our ldap adapter is documented to do that or not.
On 2/26/2016 7:03 PM, Jason Axley wrote:
Some Idm products provide a virtual-directory-like capability where you can manage derived attributes for users regardless of the origin data store. I could see it be advantageous to be able to layer metadata or other derived data on identities to make things easier to consume in downstream systems. Would that be feasible in Keycloak?
-Jason
From: <keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org>> on behalf of Bill Burke <bburke at redhat.com<mailto:bburke at redhat.com>>
Date: Friday, February 26, 2016 at 1:00 PM
To: "keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>" <keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
Subject: Re: [keycloak-user] user Attribute error
Why do you expect to be able to add an attribute on a read-only LDAP? I'm confused...
On 2/26/2016 11:03 AM, Gerard Laissard wrote:
Hi,
I'm using user Federation LDAP. The LDAP is read-only.
When I add a user Attribute, I get 'Error! user is read-only!'
How can I add specific user attributes?
Thanks
Gerard
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160229/cb08d33a/attachment-0001.html
More information about the keycloak-user
mailing list