[keycloak-user] [keycloak-dev] How to add custom LDAP attribute mapper

Jan Lieskovsky jlieskov at redhat.com
Wed Sep 4 06:06:29 EDT 2019 

Hey Shiva,

On Wed, Sep 4, 2019 at 10:01 AM Shiva Prasad Thagadur Prakash <
shivaprasadtp8 at gmail.com> wrote:

> Hi Guys,
> Any suggestions on this? Eagerly waiting for your reply.
>
> Thanks,
> Shiva
>
> On Mon, Sep 2, 2019 at 12:15 PM Shiva Prasad Thagadur Prakash <
> shivaprasadtp8 at gmail.com> wrote:
>
> > Hi Guys,
> > I want to add a custom LDAP user attribute mapper to Keycloak. How can I
> > do this?
>

You would do as usual:

   - Add new LDAP federation provider first (User Federation -> Add
   Provider, choose 'ldap'  & setup / provide the necessary bits (Vendor,
   Connection URL, ..., click 'Save' once done), then click 'Mappers' tab,
   click 'Create', add some name to it & choose 'user-attribute-ldap-mapper',
   specify the name of the attribute, you want to be stored in Keycloak DB in
   the 'User Model Attribute' field, and specify the name of the attribute, as
   already exists in LDAP in the 'LDAP Attribute' field. Customize / set up
   the other options ('Read Only', 'Always Read Value from LDAP', ... as
   needed), then click 'Save'.

Yet, it should be verified, if there already isn't an existing
'user-ldap-attribute-mapper', mapping the same attribute, but having
different settings, so those two wouldn't conflict.


>
> > Actually I wanted to have an LDAP attribute mapper which would have some
> > initial value hardcoded for an LDAP attribute but the attribute value can
> > be edited/changed later.
>

Initial name of the user attribute to map from LDAP to Keycloak would be
initially hardcoded, but it might change later?

If that's the case, once the name of the LDAP attribute changed, you would
either:

   - Go to the admin console and perform User Federation ->
   previously_created_provider_name -> Mappers tab -> choose the custom user
   attribute mapper created before, change the respective field (LDAP
   attribute or even User Model attribute if needed), click 'Save' again)
   - Or this can be (AFAICT) performed also in a programmed way using the
   REST API (get the realm in question, get it's mappers, then update the
   mapper with the new 'User Model attribute' value). See the available REST
   API methods, if interested in pursuing this way.

Though if you are searching for some "inotify" based functionality (IOW the
mapper itself to realize the name of the attribute changed in LDAP, and to
have some automated way how this would update itself based on the changed
attribute name -- from the original name to the updated one), I am not
aware of a way, on how this could be achieved. But maybe others can suggest
an approach..

HTH


> >
> > Thanks,
> > Shiva
> >
>

Regards, Jan
--
Jan iankko Lieskovsky


> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

More information about the keycloak-user mailing list