[keycloak-user] Keycloak 6.0.1 "UUID LDAP attribute" property processed correctly only with "ObjectGUID" value.
Алина Александровна Громова
abychkova_box at mail.ru
Wed Jul 10 02:33:26 EDT 2019
Hi,
I have User Federation to connect with our Azure AD through LDAP. When I have the default value ‘objectGUID’ for UUID LDAP attribute property it processed correctly and in LDAP_ID user attribute I can see correct UUID formate.
Though, if user UUID provided not in ‘objectGUID’ but in ‘msDS-AzureADObjectId’ LDAP-attribute it doesn’t work. In this case, when I set ‘msDS-AzureADObjectId’ value into UUID LDAP attribute property I get incorrect string value in LDAP_ID.
It looks like KC can correctly process UUID only if it comes in ‘objectGUID’ attribute. In other cases, we get an incorrect result.
So, the problem in org/keycloak/storage/ldap/idm/store/ldap/LDAPOperationManager.java:675 where KC has hardcode action for ‘objectGUID’ value and other fields processed as a plain string. Also, ‘objectGUID’ always gets from LDAP as a binary field but ‘msDS-AzureADObjectId’ doesn't and I need to create user-attribute-ldap-mapper to mark this attribute as binary.
The way I fixed it locally:
* create user-attribute-ldap-mapper for ‘msDS-AzureADObjectId’ LDAP-attribute + mark this attribute as binary.
* set UUID LDAP attribute property to ‘msDS-AzureADObjectId’
* fix condition from org/keycloak/storage/ldap/idm/store/ldap/LDAPOperationManager.java:675 to
if (this.config.isActiveDirectory() && entryUUID instanceof byte[])
Is it a bug and can we expect a fix in future versions of KC?
-------
Regards
Alina Gromova
More information about the keycloak-user
mailing list