[keycloak-user] Suggestions and fix for e-directory user federation provider

Marek Posolda mposolda at redhat.com
Fri Nov 25 04:29:20 EST 2016

On 24/11/16 13:32, Tomas Tikovsky wrote:
> Hello everyone,
> im using e-directory federation ldap provider and came to this bug
> KEYCLOAK-3099 <https://issues.jboss.org/browse/KEYCLOAK-3099> as i was
> experiencing the same problem.
> e-Directory sends guid attribute as byte[] so it needs to be declared as
> binary the same way as its done for activeDirectory.
> Sending simple diff to fix this issue if you consider this as helpfull.
> Novell was acquired by microfocus and their product has been renamed to
> netIQ eDirectory so i incorporated that change as well.
Currently we don't have any support for netIQ eDirectory and we never 
tested with it. Novell eDirectory was community contribution.

Btv. If it uses the guid attribute in same way like activeDirectory, 
then maybe you can just select vendor: "Active Directory" and then just 
change name of UUID attribute manually?
> Another thing i noted were 2 incorrect attribute mappings in administration
> console.
> "username" -> "uid"
> correct as long as users are enabled for linux (not default) otherwise cn.
> So cn should work for more cases than uid.
> "firstname" -> "cn"
> wrong, should be "givenname"
There is some best effort to create mappers according to which vendor 
you choose. So for example if you select "Active Directory" it already 
uses "cn" for username by default. For "OpenLDAP" it uses "uid" for 
username etc. But all things can be configured/changed manually and you 
have possibility to configure mappers exactly according to your LDAP 
environments. (eg. change firstName to "givenName" etc)

> Cheers
> Tom
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list