[keycloak-user] LDAP Attribute to Keycloak Role
Marek Posolda
mposolda at redhat.com
Tue Jan 24 05:16:34 EST 2017
It seems that attribute "sRoles" is your own extension to the LDAP
schema. Is it correct? As I can't see anything like that in the standard
LDAP schema.
We currently don't have what you mentioned OOTB though. Not sure if we
should add that OOTB as it seems you're the only one requesting this so
far. One thing, which our roleMapper supports is, that roles can be
retrieved from the "memberOf" attribute on the user record. This is LDAP
standard.
For example LDAP user record has something like this:
memberOf: CN=realmRole1,OU=RealmRoles,O=keycloak,DC=foodomain,DC=test
memberOf: CN=realmRole2,OU=RealmRoles,O=keycloak,DC=foodomain,DC=test
and based on that, we assign him roles "role1" and "role2" on Keycloak
side. This is used when you select "User Roles Retrieve Strategy" of
role mapper to "GET_ROLES_FROM_USER_MEMBEROF_ATTRIBUTE".
But note that implementation has attribute name hardcoded to "memberOf"
and also it must contain the fullDN of particular role, not just the
name. Feel free to create your own implementation. You can take a look
at RoleLDAPStorageMapper and UserRolesRetrieveStrategy java classes for
the inspiration. Maybe you can override from RoleLDAPStorageMapper though.
Marek
On 23/01/17 10:19, Adrian Madaras wrote:
>
>
> Hi everybody,
> I am trying to map a user attribute named 'sRoles' from LDAP to Roles in Keycloak.Is this possible? I could not find any reference regarding this online and I think it's a subject that a lot of people would be interested in.
> Thanks in advance,
> Adrian
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list