You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We have keycloak 26.4.6 running with an ldap directory as user federation for authentication using the username (uid) from ldap and getting email, first and last name from the directory. Keycloak only reads the ldap and cannot write changes into the ldap. Keycloak should use the current email address from ldap at any time (in case it ever changes).
Someone has put a mixed case email address into ldap, e.g. [email protected]. When this person logs in, after entering username and password and being successfully authenticated by ldap, keycloak shows the "Update Account Information" page.
The page has three fields (which we have set required for the user profile): Email, First name, and Last name. All three fields are prefilled with the values from ldap including the mixed case mail address. All values are greyed out and cannot be modified.
When pressing the submit button it'll just takes the user back to the same page.
As far as I understand this is because we have enabled "Import Users" for the ldap user federation and set "Always Read Value From LDAP" in the Email mapper (as we want to use the current mail address in ldap at any time and don't want people to set a different mail address in keycloak but rather change it only in ldap).
If I understand correctly, Keycloak imports the email address into the database but converts it to lowercase. When the user logs in keycloak gets the mixed case mail address from ldap and doesn't find the matching account because keycloak compares the mail address case-sensitive.
I have tried to disable "Import Users" but it did not help. The user still ends up in the "Update Account Information" loop.
I have tried a couple of others things but did not get what I wanted.
What would be the correct set up for my scenario: a LDAP directory as source of information which the user cannot overwrite in the user's keycloak account?
In other words: either keycloak should always use the ldap attributes at any time or if it has to go through the keycloak database: data is always (or frequently) checked and updated against ldap. Is it possible? Or do I have to enable periodic sync to get something close?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
We have keycloak 26.4.6 running with an ldap directory as user federation for authentication using the username (uid) from ldap and getting email, first and last name from the directory. Keycloak only reads the ldap and cannot write changes into the ldap. Keycloak should use the current email address from ldap at any time (in case it ever changes).
Someone has put a mixed case email address into ldap, e.g.
[email protected]. When this person logs in, after entering username and password and being successfully authenticated by ldap, keycloak shows the "Update Account Information" page.The page has three fields (which we have set required for the user profile): Email, First name, and Last name. All three fields are prefilled with the values from ldap including the mixed case mail address. All values are greyed out and cannot be modified.
When pressing the submit button it'll just takes the user back to the same page.
As far as I understand this is because we have enabled "Import Users" for the ldap user federation and set "Always Read Value From LDAP" in the Email mapper (as we want to use the current mail address in ldap at any time and don't want people to set a different mail address in keycloak but rather change it only in ldap).
If I understand correctly, Keycloak imports the email address into the database but converts it to lowercase. When the user logs in keycloak gets the mixed case mail address from ldap and doesn't find the matching account because keycloak compares the mail address case-sensitive.
I have tried to disable "Import Users" but it did not help. The user still ends up in the "Update Account Information" loop.
I have tried a couple of others things but did not get what I wanted.
What would be the correct set up for my scenario: a LDAP directory as source of information which the user cannot overwrite in the user's keycloak account?
In other words: either keycloak should always use the ldap attributes at any time or if it has to go through the keycloak database: data is always (or frequently) checked and updated against ldap. Is it possible? Or do I have to enable periodic sync to get something close?
Beta Was this translation helpful? Give feedback.
All reactions