[keycloak-user] Users (related to LDAP) are gone when I change the username

Marek Posolda mposolda at redhat.com
Thu Oct 12 02:54:30 EDT 2017 

Cool, that works as long as you're creating users just through our admin 
REST api. It might not work in some other cases (for example if you're 
doing self-registration of users) without some other tweaks in 
authenticators or mappers level.

Anyway, cool that it's sorted for you :)

Marek

On 12/10/17 03:01, Celso Agra wrote:
> There's a different kind of emails on my project, such as 
> John at company01.br <mailto:John at company01.br>, and also another John 
> from another company, such as John at company02.br 
> <mailto:John at company02.br>.
>
> So... I solve that, using System.currentTimeMilis(); as username. This 
> could be unique and non-changeable.
>
> Thanks again Marek!
>
> Best Regards,
>
> Celso Agra
>
> Em qua, 11 de out de 2017 às 03:34, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> escreveu:
>
>     Yes, I was wondering that maybe you will see some error like this.
>     And +1 to set some other non-changeable attribute as "uid" . I am
>     sure that it's doable with custom LDAP mapper, which will add the
>     value just during the registration time, but not update it later.
>     Maybe the best is to use just the first part of the "initial"
>     email as username. Something like:
>
>     - User registers with john123 at email.com <mailto:john123 at email.com>
>     - Mapper will extract, just the first part of the email, so
>     "john123" and use it as RDN of LDAP. So user in LDAP will be saved
>     like "uid=john123,cn=users,dc=example,dc=com"
>     - When email is changed to "john123-updated at email.cz"
>     <mailto:john123-updated at email.cz>, the UID will remain unchanged
>     and will be still "uid=john123,cn=users,dc=example,dc=com"
>
>     Maybe timestamp is useful as well, not sure.
>
>     Marek
>
>     Dne 11.10.2017 v 00:14 Celso Agra napsal(a):
>>     I configured "mail" as "Username LDAP Attribute" and "uid" as
>>     "RDN LDAP Attribute" and set some configs on LDAP Mapper.
>>     but I got an error:
>>
>>         Could not create user: org.keycloak.models.ModelException:
>>         RDN Attribute [uid] is not filled. Filled attributes:
>>         {mail=[], cn=[ ], sn=[ ], createTimestamp=[], modifyTimestamp=[]}
>>
>>
>>     maybe, change username could be a bad practice. Could be better
>>     if I set a special number on username, such as timestamp. This
>>     could solve my issue
>>
>>     Thanks Marek
>>
>>     2017-10-10 9:08 GMT-03:00 Marek Posolda <mposolda at redhat.com
>>     <mailto:mposolda at redhat.com>>:
>>
>>         Thanks.
>>
>>         I see it probably doesn't work as you have email as username
>>         and "uid" is used as both username attribute and RDN
>>         attribute. When you're changing email of user in Keycloak, it
>>         is trying to change "uid" in LDAP, but that's not allowed.
>>
>>         I can imagine that things might work if you configure "mail"
>>         as "Username LDAP Attribute" and "uid" as "RDN LDAP
>>         Attribute", but you probably need to do some tricks with
>>         mappers and maybe implement your own LDAP mapper. If you
>>         don't manage to have this working, feel free to create JIRA.
>>
>>         Marek
>>
>>
>>
>>         On 09/10/17 18:54, Celso Agra wrote:
>>>         Thanks for your answer, Marek!
>>>
>>>         Here is some of my configs. In addition, I put the same
>>>         values to username and e-mail.
>>>
>>>         Here is my User Representation:
>>>
>>>             UserRepresentation user = new UserRepresentation();
>>>             user.setUsername(email);
>>>             user.setFirstName(firstName;
>>>             user.setLastName(lastName);
>>>             user.setEnabled(true);
>>>             user.setEmail(email);
>>>
>>>
>>>         Best regards,
>>>
>>>         Celso Agra
>>>
>>>
>>>         2017-10-09 10:37 GMT-03:00 Marek Posolda
>>>         <mposolda at redhat.com <mailto:mposolda at redhat.com>>:
>>>
>>>             We didn't try to test this use-case though. But it may
>>>             work as long as things are configured correctly. Maybe I
>>>             would re-create the LDAP provider with the "Username
>>>             LDAP attribute" be set to "mail", but the "RDN LDAP
>>>             Attribute" to "uid" . Is this the configuration you're
>>>             using?
>>>
>>>             If things still doesn't work, you can possibly create
>>>             JIRA . Ideally with the details of the configuration of
>>>             your LDAP provider, realm (whether 'username as email'
>>>             is enabled etc) and how LDAP users looks like and how
>>>             you expect them to look like after.
>>>
>>>             Regards,
>>>             Marek
>>>
>>>
>>>             On 04/10/17 15:45, Celso Agra wrote:
>>>
>>>                 Hi all,
>>>
>>>                 I'm getting a strange behavior.
>>>
>>>                 My LDAP (openldap) is configured as writable in my
>>>                 User Federation. So, I
>>>                 can create user from my Keycloak, but when I change
>>>                 the username, the user
>>>                 disappear from my user's list.
>>>
>>>                 I check the LDAP and the user still there, with the
>>>                 'old' username. So, is
>>>                 there some way to change the username without
>>>                 disappear from the keycloak
>>>                 user's list?
>>>
>>>                 This occurs because in my case, username as the same
>>>                 of email. So, If the
>>>                 user changes email, I have to change the username also.
>>>
>>>                 I'm using version 3.0.0.Final
>>>
>>>
>>>                 Best regards
>>>
>>>
>>>
>>>
>>>
>>>
>>>         -- 
>>>         ---
>>>         *Celso Agra*
>>
>>
>>
>>
>>
>>     -- 
>>     ---
>>     *Celso Agra*
>
>

More information about the keycloak-user mailing list