Univention Bugzilla – Bug 55366
Keycloak-App LDAP User Federation mapper for firstname and email need adjustment
Last modified: 2022-11-25 15:31:22 CET
Currently it seems that the Keycloak App is using the default LDAP Storage provider's mappers. At least the following ones do not fit UCS and should be replaced / fixed: - email - firstname Replace them with mappers that you can find here: https://git.knut.univention.de/univention/customers/dataport/custom/bmiux-hetzner-upgrade-automation/-/tree/master/res.keycloak - storageprovider_ucsldap_mapper_email.json - storageprovider_ucsldap_mapper_firstname.json Please have a look at the other mappers there as well, at least _uid and _entryuuid could be useful in default setups as well.
Regarding entryUUID: Keycloak uses the name "LDAP_ID" by default in its user model, see https://www.keycloak.org/docs/latest/server_admin/#_read_only_user_attributes , and the UCS Keycloak-App has the User Federation configured to read entryUUID into that, see https://git.knut.univention.de/univention/components/keycloak-app/-/blob/main/files/univention-keycloak#L1432 Regarding uid: We already map LDAP `uid` to Keycloak `uid`, see https://git.knut.univention.de/univention/components/keycloak-app/-/blob/main/files/univention-keycloak#L1456 So this bug report is about * firstname (which currently is mapped from LDAP `cn`) * email (which currently is mapped from LDAP `mail`) Now, I understand that LDAP `mail` is just informative (e.g. for address books) and `mailPrimaryAddress` is the functional attribute and that may be what you actually want. But then you may need to also consider how to map `mailAlternativeAddress`. * Is it a hard requirement to map LDAP:`mailPrimaryAddress` to Keycloak:`email`? * What do you want to achieve exactly?
Ok, let's skip the _uid / _entryuuid mappers, as they are there already. email: Some components want an email claim in e.g. their OIDC token. To ensure the email address is set my understanding of UCS is, that you would enforce 'mailPrimaryAddress' to be mandatory on user creation. It'll be queried for in the user create wizard. This attribute is also the main mail attribute for the UCS mail stack and can be used for user account identification in the UI (e.g. logging in or resetting password). So from my perspective it would make much more sense to map this attribute for the user's email address rather than the ldap `mail`. Of course there could be use cases requiring the mapping of `mail` or even `mailAlternativeAddress` but these still could be customized in Keycloak. On the other hand: Feel free the have these also mapped by default. firstname: This should be mapped to `givenName` instead `cn`, correct?