Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-13397

Creating 'role-ldap-mapper' for 'realm-management' client id in 'ldap' user federation fails

    Details

    • Steps to Reproduce:
      Hide
      • OpenLDAP started on local system on port 389.
      • Start standalone Keycloak 9.0.0 server
        1) Create realm : dcm4che
        2) Create ldap User Federation (Test Connection and Test Authentication works)
      • Edit Mode : WRITABLE
      • Sync Registrations : ON
      • Vendor : Other
      • Connection URL : ldap://localhost:389
      • Users DN : ou=users,dc=dcm4che,dc=org
      • Bind DN : cn=admin,dc=dcm4che,dc=org
      • Bind Credential : <Ldap-Password>
        3) Create realm-management mapper with
      • Mapper Type : role-ldap-mapper
      • LDAP Roles DN : ou=realm-management,dc=dcm4che,dc=org
      • Use Realm Roles Mapping : OFF
      • Client ID : realm-management
      Show
      OpenLDAP started on local system on port 389. Start standalone Keycloak 9.0.0 server 1) Create realm : dcm4che 2) Create ldap User Federation (Test Connection and Test Authentication works) Edit Mode : WRITABLE Sync Registrations : ON Vendor : Other Connection URL : ldap://localhost:389 Users DN : ou=users,dc=dcm4che,dc=org Bind DN : cn=admin,dc=dcm4che,dc=org Bind Credential : <Ldap-Password> 3) Create realm-management mapper with Mapper Type : role-ldap-mapper LDAP Roles DN : ou=realm-management,dc=dcm4che,dc=org Use Realm Roles Mapping : OFF Client ID : realm-management
    • Workaround:
      Workaround Exists
    • Workaround Description:
      Hide

      2 possible workarounds, but none of them is very nice...

      1) Dont use admin console to create role-ldap-mapper with mapping to client roles. Use Admin REST API directly instead. For example through kcadm, keycloak java admin-client or anyhow else

      2) Manually update KEYCLOAK_SERVER_HOME/themes directory and manually apply the fix from the attached pull request - it is doable as fix is solely in the admin console UI files

      Show
      2 possible workarounds, but none of them is very nice... 1) Dont use admin console to create role-ldap-mapper with mapping to client roles. Use Admin REST API directly instead. For example through kcadm, keycloak java admin-client or anyhow else 2) Manually update KEYCLOAK_SERVER_HOME/themes directory and manually apply the fix from the attached pull request - it is doable as fix is solely in the admin console UI files
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      Creating role-ldap-mapper for realm-management client id in ldap user federation was working upto Keycloak version 8.0.2.

      It fails if Keycloak version 9.0.0 or 9.0.2 is installed, reason being that client.id is sent as a string instead of array in the json request body.

      On saving the role-ldap-mapper for realm-management client id, the URL

      http://localhost:8880/auth/admin/realms/dcm4che/components

      has request body as (version 9.0.0 or 9.0.2)

      {"config":

      {"roles.dn":["ou=realm-management,dc=dcm4che,dc=org"],"role.name.ldap.attribute":["cn"],"role.object.classes":["groupOfNames"],"membership.ldap.attribute":["member"],"membership.attribute.type":["DN"],"membership.user.ldap.attribute":["uid"],"roles.ldap.filter":[],"mode":["LDAP_ONLY"],"user.roles.retrieve.strategy":["LOAD_ROLES_BY_MEMBER_ATTRIBUTE"],"memberof.ldap.attribute":["memberOf"],"use.realm.roles.mapping":["false"],"client.id":"realm-management"}

      ,"name":"realm-management","providerId":"role-ldap-mapper","providerType":"org.keycloak.storage.ldap.mappers.LDAPStorageMapper","parentId":"671f342d-62db-47f2-9df2-ef03d8065565"}

      whereas in version 8.0.2, for the same URL, the request body is as follows

      {"config":

      {"roles.dn":["ou=realm-management,dc=dcm4che,dc=org"],"role.name.ldap.attribute":["cn"],"role.object.classes":["groupOfNames"],"membership.ldap.attribute":["member"],"membership.attribute.type":["DN"],"membership.user.ldap.attribute":["uid"],"roles.ldap.filter":[],"mode":["LDAP_ONLY"],"user.roles.retrieve.strategy":["LOAD_ROLES_BY_MEMBER_ATTRIBUTE"],"memberof.ldap.attribute":["memberOf"],"use.realm.roles.mapping":["false"],"client.id":["realm-management"]}

      ,"name":"realm-management","providerId":"role-ldap-mapper","providerType":"org.keycloak.storage.ldap.mappers.LDAPStorageMapper","parentId":"36d37604-7d39-49b8-9353-f6851f669340"}

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  mposolda Marek Posolda
                  Reporter:
                  vrinda.nayak Vrinda Nayak
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  3 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: