[keycloak-user] Unable to Store and Retrieve Group-Role relationship in LDAP
Marek Posolda
mposolda at redhat.com
Mon Apr 3 03:32:13 EDT 2017
On 23/03/17 15:09, abhishek raghav wrote:
> Hi,
>
> We are completely blocked because of this particular use case of not
> syncing role-group relationship to LDAP, as we are not assigning role
> directly to the users, we are assigning the roles via group.
>
> I could see an "Admin event" of type CREATE and DELETE for any change
> in role assignment to a group. Here the Event Resource Type is
> "CLIENT_ROLE_MAPPING". Role details are also available here.
> Is it possible to write this info to LDAP, by writing a custom event
> listener, which gets triggered on when any role is assigned to a group.
Yes, that would be possible as workaround. Note that it will work just
in case that you always assign group-role relationship in Keycloak. Any
changes done directly in LDAP (not via Keycloak) won't work. Also you
would need to handle deletion (removal) of relationship if you need it.
Other possibilities (I already mentioned some in previous email, so just
repeating):
- Use just LDAP directly to manage assign relationships for roles-groups
- "User Roles Retrieve Strategy" to
"LOAD_ROLES_BY_MEMBER_ATTRIBUTE_RECURSIVELY" for your role mapper to
ensure that LDAP will retrieve also the transitive membership mappings.
This works just for MSAD
Marek
>
> I know this approach sound a little off but i would like to know your
> thoughts on it.
>
> Could someone please suggest any workaround to solve this use case, as
> it seems to be not easily solvable by using LDAP mapper SPI given the
> fact that Keycloak doesn't support federation for groups or roles.
>
>
> We really appreciate any help in this regard.
>
>
>
>
> *- Best Regards*
> Abhishek Raghav
>
>
>
>
>
>
>
> On Mon, Mar 13, 2017 at 3:15 PM, Marek Posolda <mposolda at redhat.com
> <mailto:mposolda at redhat.com>> wrote:
>
> On 10/03/17 12:15, abhishek raghav wrote:
>> Thanks Marek.
>>
>> Is it possible by writing a *custom ldap mapper* and deploy in
>> Keycloak for this scenario.
>> We am using *MSAD *as our LDAP provider.
> The usecase you pointed, won't be easily solvable with LDAP mapper
> SPI. We don't have federation for groups or roles. So once you
> assign new role to some group in KC admin console, there is
> currently not a way to propagate this info and being visible by
> LDAP mappers.
>
> What would work is the opposite though. If you assign some LDAP
> group "foo-group" as "member" of LDAP role "bar-role", then you
> won't see membership between this group and role in KC admin
> console. However your users in Keycloak, which are members of
> "foo-group" will be automatically treated as members of "bar-role"
> in Keycloak as well. Note that you may need to switch "User Roles
> Retrieve Strategy" to "LOAD_ROLES_BY_MEMBER_ATTRIBUTE_RECURSIVELY"
> for your role mapper here.
>
> Marek
>
>>
>> If yes, do you have any example implementation for the same.
>> I also found that there is some SPI for User Federation Mapper SPI.
>> https://keycloak.gitbooks.io/server-developer-guide/content/v/2.2/topics/user-federation-mapper.html
>> <https://keycloak.gitbooks.io/server-developer-guide/content/v/2.2/topics/user-federation-mapper.html>
>>
>>
>>
>>
>>
>> *- Best Regards*
>> Abhishek Raghav
>>
>>
>>
>>
>>
>>
>>
>> On Fri, Mar 10, 2017 at 4:32 PM, Marek Posolda
>> <mposolda at redhat.com <mailto:mposolda at redhat.com>> wrote:
>>
>> Yes, you're right. This is not available ATM. What is
>> available is the support for Keycloak group inheritance to be
>> mapped for LDAP groups. But mapping for:
>> - Groups-roles membership mappings
>> - Roles to composite roles membership mappings
>> is not available now.
>>
>> Feel free to create JIRA. But not sure if we ever go into it...
>>
>> Marek
>>
>>
>> On 10/03/17 11:31, abhishek raghav wrote:
>>
>> Hi
>>
>> I have a set of* Realm Roles* that is mapped to an
>> certain *OU=Roles* in an
>> *MSAD*. Similar is the case for a set of *Groups*.
>>
>> But when I *assign a group with a certain role, the
>> assignment is visible
>> in Keycloak. But the same is not reflected on the AD.*
>> I mean, this mapping of role and group is *not stored in
>> the "member" or
>> "memberof" attributes of either the respective group or
>> the role*.
>>
>> Please suggest is this functionality available using any
>> mapper from
>> Keycloak to AD? Or do we need to create our own Custom
>> Mapper? If yes, how?
>>
>>
>> *- Best Regards*
>> Abhishek Raghav
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> <mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>
>>
>>
>>
>
>
More information about the keycloak-user
mailing list