[keycloak-user] Cannot create user in LDAP/AD from Keycloak using Full Name User Federation Mapper - CN is empty
Marek Posolda
mposolda at redhat.com
Wed Jan 27 07:38:18 EST 2016
Yes, feel free to create JIRA for that.
You're right. There is limitation, that at registration time, just
username is available to LDAP federation provider. However it should be
possible to handle this in mapper. Either we can create new mapper or
add the option to current FullNameMapper, that it will use username as
fallback if fullname is not yet available. LDAP doesn't have issue with
renaming CN in later phase. This mapper shouldn't be hard to do,
hopefully I can do it even in 1.9 or 1.10 release (not like your
previous request for password history, which is a bit more tricky :) )
For Keycloak 2.X we plan some refactoring of federation SPI and user's
management. So hopefully we can handle it more properly and have all
attributes available even during federation registration.
Marek
On 27/01/16 13:25, Edgar Vonk - Info.nl wrote:
> Hi,
>
> I would like to use the Full Name User Federation Mapper to set the CN
> attribute in Active Directory from Keycloak. If I am not mistaken this
> is currently not possible in Keycloak because on creation of the user
> the only thing that is available is the username and no other user
> attributes (see UserFederationManager#addUser(RealmModel realm, String
> username).
>
> Since the CN is mandatory it needs to be set during creation of the
> user object in AD (and in any LDAP server). With our current
> configuration with the Full Name mapper enabled and configured to map
> to the CN attribute we cannot create users from Keycloak since the
> full name (as well as the first and last name) and hence the CN are
> still empty on user creation:
>
> 10:03:56,246 ERROR
> [org.keycloak.services.resources.ModelExceptionMapper] (default
> task-5) Error creating subcontext [cn=
> ,ou=Customers,dc=hf,dc=info,dc=nl]:
> org.keycloak.models.ModelException: Error creating subcontext [cn=
> ,ou=Customers,dc=hf,dc=info,dc=nl]
> at
> org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.createSubContext(LDAPOperationManager.java:425)
> at
> org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore.add(LDAPIdentityStore.java:75)
> at org.keycloak.federation.ldap.LDAPUtils.addUserToLDAP(LDAPUtils.java:50)
> at
> org.keycloak.federation.ldap.LDAPFederationProvider.register(LDAPFederationProvider.java:154)
> at
> org.keycloak.models.UserFederationManager.registerWithFederation(UserFederationManager.java:56)
> at
> org.keycloak.models.UserFederationManager.addUser(UserFederationManager.java:48)
> at
> org.keycloak.services.resources.admin.UsersResource.createUser(UsersResource.java:190)
>
>
>
> If I am not mistaken the way Keycloak creates users is by first
> creating an ‘empty’ user with only the username set and after that the
> user is updated with all user attributes like firstname, last name,
> email etc.
>
> The only workaround we can find is to add an attribute mapper that
> maps the Keycloak username field to the CN LDAP/AD attribute. This
> works ok but it different from how AD treats the CN which is as the
> full name and not the user name.
>
> Shall I create a JIRA issue for this?
>
> cheers
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160127/66855b07/attachment-0001.html
More information about the keycloak-user
mailing list