[keycloak-user] Issue with LDAP federation import
Kevin Berendsen
kevin.berendsen at pharmapartners.nl
Mon Feb 13 07:57:43 EST 2017
Hi Harish
There's a workaround and it's a little tricky and might need some more effort.
Our LDAP structure is a little vague and different from what it should be but that choice was made a long time. However, our workaround could be applied to your issue as well. Pick an attribute of your LDAP object that is absolutely unique to any object like the username should be but then another object.
For example:
Pick attribute veryUniqueAttr instead of uid as username.
Then develop your own authenticator:
* Queries for users based on the actual username and might return multiple users;
* Iterate through the users and check if the password matches the input;
* If the password matches, then set the context to success and set the last iterated user as user into the session.
* If none matches, then login failed.
It's simple and affective but I don't like the sound of it. I highly recommend you creating TWO realms instead. Google for 'Keycloak multi-tenant' and you'd find an easy way to use the same Keycloak Client with two realms and I think that may solve your problem.
-----Oorspronkelijk bericht-----
Van: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] Namens harish jadhav
Verzonden: maandag 13 februari 2017 13:24
Aan: keycloak-user at lists.jboss.org; Bill Burke <bburke at redhat.com>
Onderwerp: Re: [keycloak-user] Issue with LDAP federation import
Team,
Can some one help on this please?
ThanksHarish
On Friday, February 10, 2017 9:47 PM, harish jadhav <harishjadhav1979 at yahoo.com> wrote:
Hi Team,
Thanks for immediate response. As both users are different persons and reside in different domain with different email id, I was expecting it to treat as different user and in fact objectguid will be different for both users. And as both users belong to same organisation, I can't use different realm also.
Is there any workaround available for this?
Thanks
Harish
--------------------------------------------
On Fri, 2/10/17, Bill Burke <bburke at redhat.com> wrote:
Subject: Re: [keycloak-user] Issue with LDAP federation import
To: keycloak-user at lists.jboss.org
Date: Friday, February 10, 2017, 8:27 PM
You can't have 2
users with same username. The sync is pulling users from 2nd federation provider, sees that its already been imported (by 1st Federation
sync) and fails to import that user.
On 2/10/17 9:32 AM, harish jadhav wrote:
> Hello Keycloak Team,
>
I am new to keycloak and trying to integrate with my
application. Just to do some kind of analysis, I have
started with LDAP import. I have two LDAP servers having
different domains say tkd.com and teckno.com respectively (
running at 172.16.11.100 and 172.16.12.100 respectively) and
I am able to import the users from both the directories. I
have created two LDAP federation in single realm.
>
> However
one issue which I am facing is I am unable to import one
particular user by second federation - I have one user
having name ronny at tkd.com
with username Ronny in 172.16.11.100 and ronny at teckno.com
with same username Ronny in 172.16.12.100. The error I am
getting is
>
> User
'Ronny' is not updated during sync as he already
exists in Keycloak database but is not linked to federation
provider '1081bf4c-b54d-44db-b172-b229ae6aad4e'
> Can you please help on how to sync both
users as technically both users are different having
different email ids and domains.
> Thanks
in advance.
> ThanksHarish
>
_______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list