Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-3083

Support LDAP referrals

    XMLWordPrintable

Details

    Description

      In replicated LDAP setups, it's a common situation where the slave is read-only, and if a write operation is attempted, it returns a so-called referral (see more here). Simply put, a referral is an instruction to proceed with the same LDAP operation but using different LDAP URL, contained within the response. In a replicated setup, this URL would point to master instance, which is read-write.

      Currently, KeyCloak cannot use such a slave replica as a federation provider in a WRITABLE edit mode. LDAP entries are imported successfully; but further attempts to modify them in KeyCloak admin console give success message, while the actual values are not modified. If Sync Registrations is on, attempt to create a user results in the following exception:

      javax.naming.PartialResultException: [LDAP: error code 10 - Referral]; remaining name 'uid=foo,ou=People,dc=foobar,dc=com'
      	at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2971)
      	at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888)
      	at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:812)
      	at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:341)
      	at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:268)
      	at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:256)
      	at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:197)
      	at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:197)
      	at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$7.execute(LDAPOperationManager.java:434)
      	at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$7.execute(LDAPOperationManager.java:431)
      	at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:536)
      	at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.createSubContext(LDAPOperationManager.java:431)
      

      LDAP referrals are fully supported by JNDI and LDAP stack; the only thing we need is to set a Context.REFERRAL ("java.naming.referral") environment property to "follow" before creating an InitialLdapContext; org.keycloak.federation.ldap.LDAPConfig already contains some initial support for additional connection properties (currently hardcoded to return null).

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              dmitry.telegin Dmitry Telegin
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: