Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-12934

"LOAD_ROLES_BY_MEMBER_ATTRIBUTE_RECURSIVELY" user roles retrieve strategy role-ldap-mapper option should only be displayed if LDAP provider vendor is Active Directory

    Details

    • Steps to Reproduce:
      Hide

      How Reproducible:
      Always

      Steps to Reproduce:
      1) Start the embedded LDAP server for the test
      2) Configure the LDAP federation provider (see attached provider_config.png for details,
      3) Sync all users to Keycloak,
      4) Configure role-ldap-mapper for the provider (see attached role_ldap_mapper_config.png for details)
      5) Sync LDAP roles to Keycloak,
      6) Login into the account console under some of the federated user accounts (used bwilson account during the testing)

      Current result:
      We are sorry... An internal server error has occurred page is displayed and javax.naming.NamingException: is thrown in the server log after users' login regardless of the specified LDAP vendor.

      Expected result:
      The option should be offered solely with Microsoft Active Directory as the LDAP vendor (user login to succeed in that case), and not to be displayed for other LDAP vendors.

      Show
      How Reproducible: Always Steps to Reproduce: 1) Start the embedded LDAP server for the test 2) Configure the LDAP federation provider (see attached provider_config.png for details, 3) Sync all users to Keycloak, 4) Configure role-ldap-mapper for the provider (see attached role_ldap_mapper_config.png for details) 5) Sync LDAP roles to Keycloak, 6) Login into the account console under some of the federated user accounts (used bwilson account during the testing) Current result: We are sorry... An internal server error has occurred page is displayed and javax.naming.NamingException: is thrown in the server log after users' login regardless of the specified LDAP vendor. Expected result: The option should be offered solely with Microsoft Active Directory as the LDAP vendor (user login to succeed in that case), and not to be displayed for other LDAP vendors.
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      Per Marek Posolda the "LOAD_ROLES_BY_MEMBER_ATTRIBUTE_RECURSIVELY" user roles retrieve strategy is available only when the LDAP federation provider vendor is Microsoft Active Directory.

      Attempt to use this option with another LDAP federation vendor leads to the javax.naming.NamingException: upon each login of the federated LDAP user (see the attached v8.0.2-load-roles-by-member-attribute-recursively-server-error-log.txt file for exact error message).

      Per the discussion with Marek Posolda the "LOAD_ROLES_BY_MEMBER_ATTRIBUTE_RECURSIVELY" LDAP roles retrieving strategy should be disabled (not offered / hidden) if the vendor is different than Microsoft Active Directory one.

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                mposolda Marek Posolda
                Reporter:
                iankko Ján Lieskovský
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated: