[keycloak-user] Suggestions and fix for e-directory user federation provider
Marek Posolda
mposolda at redhat.com
Fri Nov 25 04:29:20 EST 2016
On 24/11/16 13:32, Tomas Tikovsky wrote:
> Hello everyone,
>
> im using e-directory federation ldap provider and came to this bug
> KEYCLOAK-3099 <https://issues.jboss.org/browse/KEYCLOAK-3099> as i was
> experiencing the same problem.
> e-Directory sends guid attribute as byte[] so it needs to be declared as
> binary the same way as its done for activeDirectory.
> Sending simple diff to fix this issue if you consider this as helpfull.
>
> Novell was acquired by microfocus and their product has been renamed to
> netIQ eDirectory so i incorporated that change as well.
Currently we don't have any support for netIQ eDirectory and we never
tested with it. Novell eDirectory was community contribution.
Btv. If it uses the guid attribute in same way like activeDirectory,
then maybe you can just select vendor: "Active Directory" and then just
change name of UUID attribute manually?
>
> Another thing i noted were 2 incorrect attribute mappings in administration
> console.
>
> "username" -> "uid"
> correct as long as users are enabled for linux (not default) otherwise cn.
> So cn should work for more cases than uid.
>
> "firstname" -> "cn"
> wrong, should be "givenname"
There is some best effort to create mappers according to which vendor
you choose. So for example if you select "Active Directory" it already
uses "cn" for username by default. For "OpenLDAP" it uses "uid" for
username etc. But all things can be configured/changed manually and you
have possibility to configure mappers exactly according to your LDAP
environments. (eg. change firstName to "givenName" etc)
Marek
>
> Cheers
>
> Tom
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list