[keycloak-user] Cannot create user in LDAP/AD from Keycloak using Full Name User Federation Mapper - CN is empty

Marek Posolda mposolda at redhat.com
Wed Jan 27 09:50:32 EST 2016 

If you're not in a hurry, it will be better to wait and put it into 
Keycloak 2.X. Right now, we are around feature freeze for 1.X and the 
MSAD password history support might mean a bit more refactoring and 
change in more places. And right now, we don't have much time to 
properly implement and test it due to other priority tasks TBH ;)

Marek

On 27/01/16 13:45, Edgar Vonk - Info.nl wrote:
> Ok will do. Thanks Marek!
>
> Regarding my password policies/history issue: I was trying to make my 
> it into a pull request for you but I have not finished quite yet. 
> Considering the upcoming refactoring I now wonder if that would be 
> worth the trouble at this stage? We are not in a big hurry with this 
> feature in any case.
>
> cheers
>
>> On 27 Jan 2016, at 13:38, Marek Posolda <mposolda at redhat.com 
>> <mailto:mposolda at redhat.com>> wrote:
>>
>> Yes, feel free to create JIRA for that.
>>
>> You're right. There is limitation, that at registration time, just 
>> username is available to LDAP federation provider. However it should 
>> be possible to handle this in mapper. Either we can create new mapper 
>> or add the option to current FullNameMapper, that it will use 
>> username as fallback if fullname is not yet available. LDAP doesn't 
>> have issue with renaming CN in later phase. This mapper shouldn't be 
>> hard to do, hopefully I can do it even in 1.9 or 1.10 release (not 
>> like your previous request for password history, which is a bit more 
>> tricky :) )
>>
>> For Keycloak 2.X we plan some refactoring of federation SPI and 
>> user's management. So hopefully we can handle it more properly and 
>> have all attributes available even during federation registration.
>>
>> Marek
>>
>>
>> On 27/01/16 13:25, Edgar Vonk - Info.nl <http://info.nl> wrote:
>>> Hi,
>>>
>>> I would like to use the Full Name User Federation Mapper to set the 
>>> CN attribute in Active Directory from Keycloak. If I am not mistaken 
>>> this is currently not possible in Keycloak because on creation of 
>>> the user the only thing that is available is the username and no 
>>> other user attributes (see UserFederationManager#addUser(RealmModel 
>>> realm, String username).
>>>
>>> Since the CN is mandatory it needs to be set during creation of the 
>>> user object in AD (and in any LDAP server).  With our current 
>>> configuration with the Full Name mapper enabled and configured to 
>>> map to the CN attribute we cannot create users from Keycloak since 
>>> the full name (as well as the first and last name) and hence the CN 
>>> are still empty on user creation:
>>>
>>> 10:03:56,246 ERROR 
>>> [org.keycloak.services.resources.ModelExceptionMapper] (default 
>>> task-5) Error creating subcontext [cn= 
>>> ,ou=Customers,dc=hf,dc=info,dc=nl]: 
>>> org.keycloak.models.ModelException: Error creating subcontext [cn= 
>>> ,ou=Customers,dc=hf,dc=info,dc=nl]
>>> at 
>>> org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.createSubContext(LDAPOperationManager.java:425)
>>> at 
>>> org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore.add(LDAPIdentityStore.java:75)
>>> at 
>>> org.keycloak.federation.ldap.LDAPUtils.addUserToLDAP(LDAPUtils.java:50)
>>> at 
>>> org.keycloak.federation.ldap.LDAPFederationProvider.register(LDAPFederationProvider.java:154)
>>> at 
>>> org.keycloak.models.UserFederationManager.registerWithFederation(UserFederationManager.java:56)
>>> at 
>>> org.keycloak.models.UserFederationManager.addUser(UserFederationManager.java:48)
>>> at 
>>> org.keycloak.services.resources.admin.UsersResource.createUser(UsersResource.java:190)
>>>
>>>
>>>
>>> If I am not mistaken the way Keycloak creates users is by first 
>>> creating an ‘empty’ user with only the username set and after that 
>>> the user is updated with all user attributes like firstname, last 
>>> name, email etc.
>>>
>>> The only workaround we can find is to add an attribute mapper that 
>>> maps the Keycloak username field to the CN LDAP/AD attribute. This 
>>> works ok but it different from how AD treats the CN which is as the 
>>> full name and not the user name.
>>>
>>> Shall I create a JIRA issue for this?
>>>
>>> cheers
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160127/13f7280f/attachment-0001.html

More information about the keycloak-user mailing list