[keycloak-user] How to retrieve Organiational Unit from LDAP?

Sat Apr 8 10:20:05 EDT 2017

Sorry for my late answer...

Got it! In fact, my solution will solve only a particular problem. I'm
using *slapd* here, so I'll take a look on "entryDN".

Thanks Marek!

2017-04-03 4:24 GMT-03:00 Marek Posolda <mposolda at redhat.com>:

> Hi,
>
> it looks that new option "Read from base DN" is not needed as LDAP vendors
> usually has attribute with DN available on the LDAP object. For MSAD it is
> "distinguishedName" attribute, for some others like OpenLDAP it is
> "entryDN" . So you can just configure OOTB UserAttribute mapper with this
> attribute mapped?
>
> TBH this usecase seems to be quite specific for your needs, so not sure if
> it's good to have this OOTB as every feature and new option adds some
> complexity. Idea is that people can use OOTB mappers for the more common
> functionalities and create their own mapper if they need something advanced
> and domain specific. And this looks to me like the second case TBH. At
> least never saw anyone else asking for this.
>
> Marek
>
>
> On 31/03/17 12:35, Celso Agra wrote:
>
> I was thinking to create a PR for class UserAttributeLDAPStorageMapper =.
> would be possible to do that?
> I created a fork for that --> https://github.com/
> keycloak/keycloak/compare/3.0.x...celsoagra:master
>
> and here i the attached file with an idea (just a simple idea!! ).
>
> 2017-03-31 3:44 GMT-03:00 Marek Posolda <mposolda at redhat.com>:
>
>> Yes, I would likely create subclass of this one and override some method,
>> so the attribute value is just your ou and not full DN. Just a note that
>> LDAP Mapper SPI is unsupported and some method signatures can change in the
>> future etc.
>>
>> Marek
>>
>>
>> On 31/03/17 02:44, Celso Agra wrote:
>>
>> Maybe this class could help me to create a new Mapper:
>>
>> https://github.com/keycloak/keycloak/blob/94afba91a0d3f51021
>> e036796c536747cc33796e/federation/ldap/src/main/java/
>> org/keycloak/storage/ldap/mappers/UserAttributeLDAPStorageMapper.java
>>
>> 2017-03-30 21:31 GMT-03:00 Celso Agra <celso.agra at gmail.com>:
>>
>>> Thanks Marek! For now, I'm using the (a) option!
>>>
>>> But I think would be possible to implement an LDAP Mapper in the future.
>>> just to get the "ou" info.
>>> I'll take a look in the code and try to add a new Mapper Type.
>>>
>>> Thanks again! This is a really great tool!
>>>
>>> 2017-03-30 16:33 GMT-03:00 Marek Posolda <mposolda at redhat.com>:
>>>
>>>> There is no built-in support for this. However you can achieve it by
>>>> doing any of:
>>>>
>>>> a) Map the LDAP_ENTRY_DN as attribute in your token and then have some
>>>> logic in your application (or whenever it is needed) that will just parse
>>>> name of the OU from the full DN.
>>>> b) Create the custom LDAP mapper, which will do the above. Then it will
>>>> be available in user attributes
>>>> c) Create protocol mapper, which will do the above. User attribute will
>>>> still contain just LDAP_ENTRY_DN, but you will have claim in the token with
>>>> the value of your OU.
>>>>
>>>> I would personally go with (a) and handle it in your app if possible.
>>>> That's the easiest path IMO.
>>>>
>>>> Marek
>>>>
>>>>
>>>> On 30/03/17 20:20, Celso Agra wrote:
>>>>
>>>>> Hi all,
>>>>>
>>>>> I'd like to retrieve the organizational unit (ou) from LDAP Mapper and
>>>>> set
>>>>> this in the User Attributes.
>>>>>
>>>>> When I get a user from LDAP, it set an attribute called LDAP_ENTRY_DN,
>>>>> with
>>>>> value : "uid=xxxxxx,ou=group,dc=dom3,dc=dom2,dc=dom1"
>>>>>
>>>>> So, I'd like to retrieve just the ou info "group", and set this to the
>>>>> user
>>>>> attribute.
>>>>> Would be possible to do that? Is there some mapper type just to
>>>>> retrieve
>>>>> this information?
>>>>>
>>>>> Best Regards,
>>>>>
>>>>>
>>>>
>>>
>>>
>>> --
>>> ---
>>> *Celso Agra*
>>>
>>
>>
>>
>> --
>> ---
>> *Celso Agra*
>>
>>
>>
>
>
> --
> ---
> *Celso Agra*
>
>
>

-- 
---
*Celso Agra*