[keycloak-user] Unable to Store and Retrieve Group-Role relationship in LDAP

John Bartko john.bartko at drillinginfo.com
Mon Apr 3 08:45:25 EDT 2017 

Semi-related to the discussion, there is an open ticket for 389ds LDAP to
allow the memberOf attribute in groupOfNames objects via an auxiliary
object class: https://pagure.io/389-ds-base/issue/48985

On Mon, Apr 3, 2017 at 2:32 AM, Marek Posolda <mposolda at redhat.com> wrote:

> On 23/03/17 15:09, abhishek raghav wrote:
> > Hi,
> >
> > We are completely blocked because of this particular use case of not
> > syncing role-group relationship to LDAP, as we are not assigning role
> > directly to the users, we are assigning the roles via group.
> >
> > I could see an "Admin event" of type CREATE and DELETE for any change
> > in role assignment to a group. Here the Event Resource Type is
> > "CLIENT_ROLE_MAPPING". Role details are also available here.
> > Is it possible to write this info to LDAP, by writing a custom event
> > listener, which gets triggered on when any role is assigned to a group.
> Yes, that would be possible as workaround. Note that it will work just
> in case that you always assign group-role relationship in Keycloak. Any
> changes done directly in LDAP (not via Keycloak) won't work. Also you
> would need to handle deletion (removal) of relationship if you need it.
>
> Other possibilities (I already mentioned some in previous email, so just
> repeating):
> - Use just LDAP directly to manage assign relationships for roles-groups
> - "User Roles Retrieve Strategy" to
> "LOAD_ROLES_BY_MEMBER_ATTRIBUTE_RECURSIVELY" for your role mapper to
> ensure that LDAP will retrieve also the transitive membership mappings.
> This works just for MSAD
>
> Marek
> >
> > I know this approach sound a little off but i would like to know your
> > thoughts on it.
> >
> > Could someone please suggest any workaround to solve this use case, as
> > it seems to be not easily solvable by using LDAP mapper SPI given the
> > fact that Keycloak doesn't support federation for groups or roles.
> >
> >
> > We really appreciate any help in this regard.
> >
> >
> >
> >
> > *- Best Regards*
> >    Abhishek Raghav
> >
> >
> >
> >
> >
> >
> >
> > On Mon, Mar 13, 2017 at 3:15 PM, Marek Posolda <mposolda at redhat.com
> > <mailto:mposolda at redhat.com>> wrote:
> >
> >     On 10/03/17 12:15, abhishek raghav wrote:
> >>     Thanks Marek.
> >>
> >>     Is it possible by writing a *custom ldap mapper* and deploy in
> >>     Keycloak for this scenario.
> >>     We am using *MSAD *as our LDAP provider.
> >     The usecase you pointed, won't be easily solvable with LDAP mapper
> >     SPI. We don't have federation for groups or roles. So once you
> >     assign new role to some group in KC admin console, there is
> >     currently not a way to propagate this info and being visible by
> >     LDAP mappers.
> >
> >     What would work is the opposite though. If you assign some LDAP
> >     group "foo-group" as "member" of LDAP role "bar-role", then you
> >     won't see membership between this group and role in KC admin
> >     console. However your users in Keycloak, which are members of
> >     "foo-group" will be automatically treated as members of "bar-role"
> >     in Keycloak as well. Note that you may need to switch "User Roles
> >     Retrieve Strategy" to "LOAD_ROLES_BY_MEMBER_ATTRIBUTE_RECURSIVELY"
> >     for your role mapper here.
> >
> >     Marek
> >
> >>
> >>     If yes, do you have any example implementation for the same.
> >>     I also found that there is some SPI for User Federation Mapper SPI.
> >>     https://keycloak.gitbooks.io/server-developer-guide/
> content/v/2.2/topics/user-federation-mapper.html
> >>     <https://keycloak.gitbooks.io/server-developer-guide/
> content/v/2.2/topics/user-federation-mapper.html>
> >>
> >>
> >>
> >>
> >>
> >>     *- Best Regards*
> >>      Abhishek Raghav
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>     On Fri, Mar 10, 2017 at 4:32 PM, Marek Posolda
> >>     <mposolda at redhat.com <mailto:mposolda at redhat.com>> wrote:
> >>
> >>         Yes, you're right. This is not available ATM. What is
> >>         available is the support for Keycloak group inheritance to be
> >>         mapped for LDAP groups. But mapping for:
> >>         - Groups-roles membership mappings
> >>         - Roles to composite roles membership mappings
> >>         is not available now.
> >>
> >>         Feel free to create JIRA. But not sure if we ever go into it...
> >>
> >>         Marek
> >>
> >>
> >>         On 10/03/17 11:31, abhishek raghav wrote:
> >>
> >>             Hi
> >>
> >>             I have a set of* Realm Roles* that is mapped to an
> >>             certain *OU=Roles* in an
> >>             *MSAD*. Similar is the case for a set of *Groups*.
> >>
> >>             But when I *assign a group with a certain role, the
> >>             assignment is visible
> >>             in Keycloak. But the same is not reflected on the AD.*
> >>             I mean, this mapping of role and group is *not stored in
> >>             the "member" or
> >>             "memberof" attributes of either the respective group or
> >>             the role*.
> >>
> >>             Please suggest is this functionality available using any
> >>             mapper from
> >>             Keycloak to AD? Or do we need to create our own Custom
> >>             Mapper? If yes, how?
> >>
> >>
> >>             *- Best Regards*
> >>                 Abhishek Raghav
> >>             _______________________________________________
> >>             keycloak-user mailing list
> >>             keycloak-user at lists.jboss.org
> >>             <mailto:keycloak-user at lists.jboss.org>
> >>             https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>             <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> >>
> >>
> >>
> >>
> >
> >
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

More information about the keycloak-user mailing list