我正在尝试从LDAP服务器设置用户联合到Keycloak。我设法分别从LDAP服务器导入了所有用户和组,但是,用户组(users节中的组选项卡)没有显示实际映射的组,尽管我可以看到这些用户呈现在groups节中的Members选项卡中列出的组中…
我浏览了Keycloak论坛/Jira票证/邮件列表中的所有文章,我确实找到了一个票证,描述了我现在正在经历的确切问题(https://lists.jboss.org/pipermail/keycloak-user/2018-February/013076.html)和Marek也回答了这个问题,但是,我仍然无法找出我设置错误的配置,只是通过帖子中提供的信息。
有谁能帮我一下吗?谢谢吧!次用户组组
用户配置
组映射器配置
谢谢,
机会问题似乎出在LDAP服务器上。只有当我从FreeIPA DB导入用户时才存在这个问题。但是,当我尝试联合到AD服务器时,用户组信息只是随用户一起出现,没有任何额外的修改!
下面是我在成功案例中使用的配置。希望它能帮助其他遇到类似问题的人。谢谢大家的关注。
[User Federation Provider Settings]
Enabled: ON (Default)
Console Display Name : <Name whatever you like>
Priority: 0 (Default)
Import Users : ON (Default)
Edit Mode : READ_ONLY
Sync Registrations : OFF (Default)
Vendor : Active Directory (This is important. Once I switch to AD, instead of FreeIPA, the issue is gone)
Username LDAP attribute: sAMAccountName
RDN LDAP attribute : cn
UUID LDAP attribute : objectGUID
User Object Classes : person, organizationalPerson, user (You should check what Object Class the server is currently configured and adjust accordingly)
Connection URL : ldap://<your LDAP server domain name>:389 (If you are using ldaps, the port is 636)
Users DN : <the scope includes all your users you would like to import, e.g. OU=User,DC=example,DC=com)
Bind Type: simple
Enable StartTLS: OFF (Default)
Bind DN: <The account has permission to search within LDAP tree>
Bind Credential: <The password for above account>
Custom User LDAP Filter: <You can leave it blank if you don't want to filter. However, if you would like to filter something, for example, users from a specific group, you can run a filter such as (&(objectClass=user)(memberof:1.2.840.113556.1.4.1941:=CN=<groupName>,OU=<groupOU>,DC=example,DC=com)) >
Search Scope: Subtree (It the users after under one level of Users DN, you can choose "One level" option)
Validate Password Policy: OFF (Default)
Trust Email: OFF (Default)
Use Truststore SPI: Only for ldaps
Connection Pooling: On
其余设置留空
您还需要配置一个组ldap映射器
[Group Mapper]
Name: <Whatever name you like>
Mapper Type: group-ldap-mapper
LDAP Groups DN : <Where are the groups of this tree saved. For example, OU=Group,DC=example,DC=com>
Group Name LDAP Attribute : cn
Group Object Classes : group
Preserve Group Inheritance: ON
Ignore Missing Groups: OFF (Default)
Membership LDAP Attribute : member
Membership Attribute Type: DN
Membership User LDAP Attribute: sAMAccountName
LDAP Filter : <You can leave it blank if you don't want to filter any group>
Mode: READ_ONLY
User Groups Retrieve Strategy: LOAD_GROUPS_BY_MEMBER_ATTRIBUTE
Member-Of LDAP Attribute: memberOf
Mapped Group Attributes: <You can leave it blank>
Drop non-existing groups during sync: ON