[keycloak-user] Unable to Store and Retrieve Group-Role relationship in LDAP
abhishek raghav
abhi.raghav007 at gmail.com
Thu Mar 23 10:09:51 EDT 2017
Hi,
We are completely blocked because of this particular use case of not
syncing role-group relationship to LDAP, as we are not assigning role
directly to the users, we are assigning the roles via group.
I could see an "Admin event" of type CREATE and DELETE for any change in
role assignment to a group. Here the Event Resource Type is "
CLIENT_ROLE_MAPPING". Role details are also available here.
Is it possible to write this info to LDAP, by writing a custom event
listener, which gets triggered on when any role is assigned to a group.
I know this approach sound a little off but i would like to know your
thoughts on it.
Could someone please suggest any workaround to solve this use case, as it
seems to be not easily solvable by using LDAP mapper SPI given the fact
that Keycloak doesn't support federation for groups or roles.
We really appreciate any help in this regard.
*- Best Regards*
Abhishek Raghav
On Mon, Mar 13, 2017 at 3:15 PM, Marek Posolda <mposolda at redhat.com> wrote:
> On 10/03/17 12:15, abhishek raghav wrote:
>
> Thanks Marek.
>
> Is it possible by writing a *custom ldap mapper* and deploy in Keycloak
> for this scenario.
> We am using *MSAD *as our LDAP provider.
>
> The usecase you pointed, won't be easily solvable with LDAP mapper SPI. We
> don't have federation for groups or roles. So once you assign new role to
> some group in KC admin console, there is currently not a way to propagate
> this info and being visible by LDAP mappers.
>
> What would work is the opposite though. If you assign some LDAP group
> "foo-group" as "member" of LDAP role "bar-role", then you won't see
> membership between this group and role in KC admin console. However your
> users in Keycloak, which are members of "foo-group" will be automatically
> treated as members of "bar-role" in Keycloak as well. Note that you may
> need to switch "User Roles Retrieve Strategy" to "LOAD_ROLES_BY_MEMBER_ATTRIBUTE_RECURSIVELY"
> for your role mapper here.
>
> Marek
>
>
> If yes, do you have any example implementation for the same.
> I also found that there is some SPI for User Federation Mapper SPI.
> https://keycloak.gitbooks.io/server-developer-guide/
> content/v/2.2/topics/user-federation-mapper.html
>
>
>
>
>
> *- Best Regards*
> Abhishek Raghav
>
>
>
>
>
>
>
> On Fri, Mar 10, 2017 at 4:32 PM, Marek Posolda <mposolda at redhat.com>
> wrote:
>
>> Yes, you're right. This is not available ATM. What is available is the
>> support for Keycloak group inheritance to be mapped for LDAP groups. But
>> mapping for:
>> - Groups-roles membership mappings
>> - Roles to composite roles membership mappings
>> is not available now.
>>
>> Feel free to create JIRA. But not sure if we ever go into it...
>>
>> Marek
>>
>>
>> On 10/03/17 11:31, abhishek raghav wrote:
>>
>>> Hi
>>>
>>> I have a set of* Realm Roles* that is mapped to an certain *OU=Roles* in
>>> an
>>> *MSAD*. Similar is the case for a set of *Groups*.
>>>
>>> But when I *assign a group with a certain role, the assignment is visible
>>> in Keycloak. But the same is not reflected on the AD.*
>>> I mean, this mapping of role and group is *not stored in the "member" or
>>> "memberof" attributes of either the respective group or the role*.
>>>
>>> Please suggest is this functionality available using any mapper from
>>> Keycloak to AD? Or do we need to create our own Custom Mapper? If yes,
>>> how?
>>>
>>>
>>> *- Best Regards*
>>> Abhishek Raghav
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>>
>
>
More information about the keycloak-user
mailing list