[keycloak-user] [Keycloak][Ldap Federation][Custom User LDAP Filter]

Marek Posolda mposolda at redhat.com
Wed Feb 8 06:17:47 EST 2017 

There should be
On 08/02/17 10:41, Salvatore Incandela wrote:
> This is what is see from log files:
> /2017-02-08 10:36:41,667 TRACE 
> [org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore] 
> (default task-44) Found ldap object and populated with the attributes. 
> LDAP Object: LDAP Object [ dn: uid=example,ou=People,dc=example,dc=it 
> , uuid: example, attributes: {uid=[example], 
> userPassword=[[B at 6ba1b2f0], mail=[example at example.it 
> <mailto:example at example.it>], givenName=[example], sn=[example], 
> title=[disabled], modifyTimestamp=[20170207194557Z], 
> createTimestamp=[20170207114007Z]}, readOnly attribute names: 
> [givenname, sn, userpassword, mail, uid, modifytimestamp, title, 
> createtimestamp] ]/
Any other TRACE message like:Using filter for LDAP search .....

?
>
> Why in the case of UUID search the Custom User LDAP Filter is ignored?
Yes, it is used just at the point when you're searching LDAP for example 
by username, email etc. When you search by UUID, you lookup for the 
concrete LDAP object by id, which you already retrieved before. You can 
try to search for example from admin console to see the filters applied.

Marek
>
> On Wed, Feb 8, 2017 at 9:03 AM, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     On 07/02/17 16:12, Salvatore Incandela wrote:
>
>         Hi Guys, I'm configuring keycloak 7.0 with Ldap Federation, I
>         put a custom
>         query in the *Custom User LDAP Filter* parameter
>         ("(title=enabled)"), but
>         this seems to be ignored.
>         Looking on the LDAPIdentityStore.fetchQueryResults method. It
>         seems that
>         once an EqualsCondition was found this one is considered and
>         the others
>         ignored.
>
>         *if (condition instanceof EqualCondition) {*
>         .
>         .
>         return results;
>         }
>
>     Nope, if you look at the code more deeply, you can find that this
>     one is used just for the special case when you query by UUID.
>
>     Maybe it can help to enable TRACE logging for the class
>     org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore in your
>     standalone.xml . With this enabled, you should be able to see some
>     additional logging messages in server.log like:
>
>     TRACE Using filter for LDAP search: ...
>
>     you can see in which DN you're searching and how exactly your LDAP
>     filter looks like. Hopefully this can help to figure what is wrong.
>
>     Marek
>
>
>         I'm sure that I'm doing something wrong, some ideas?
>
>
>
>
>
> -- 
> Salvatore Incandela
> Middleware Consultant
> ------------------------------
> Red Hat - www.redhat.com <http://www.redhat.com/>
> Via Andrea Doria 41M
> 00192 Roma (Italy)
> Mobile +39 349 6196615
> Fax +39 06 39728535
> E-mail salvatore.incandela at redhat.com 
> <mailto:salvatore.incandela at redhat.com>

More information about the keycloak-user mailing list