Bug 55366 – Keycloak-App LDAP User Federation mapper for firstname and email need adjustment

Bug 55366 - Keycloak-App LDAP User Federation mapper for firstname and email need adjustment


Summary:	Keycloak-App LDAP User Federation mapper for firstname and email need adjustment

Status:	ASSIGNED

Product:	UCS
Classification:	Unclassified
Component:	Keycloak
Version:	UCS 5.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	Juan Pedro Torres
QA Contact:	UCS maintainers

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2022-10-31 09:11 CET by Thorsten
Modified:	2022-11-25 15:31 CET (History)
CC List:	3 users (show)

See Also:	55458
What kind of report is it?:	Development Internal
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thorsten

2022-10-31 09:11:01 CET

Currently it seems that the Keycloak App is using the default LDAP Storage provider's mappers. At least the following ones do not fit UCS and should be replaced / fixed:
- email
- firstname
Replace them with mappers that you can find here:
https://git.knut.univention.de/univention/customers/dataport/custom/bmiux-hetzner-upgrade-automation/-/tree/master/res.keycloak
- storageprovider_ucsldap_mapper_email.json
- storageprovider_ucsldap_mapper_firstname.json
Please have a look at the other mappers there as well, at least _uid and _entryuuid could be useful in default setups as well.

Comment 1 Arvid Requate

2022-11-01 19:53:13 CET

Regarding entryUUID: Keycloak uses the name "LDAP_ID" by default in its user model,
see https://www.keycloak.org/docs/latest/server_admin/#_read_only_user_attributes ,
and the UCS Keycloak-App has the User Federation configured to read entryUUID into that,
see https://git.knut.univention.de/univention/components/keycloak-app/-/blob/main/files/univention-keycloak#L1432

Regarding uid: We already map LDAP `uid` to Keycloak `uid`, see
https://git.knut.univention.de/univention/components/keycloak-app/-/blob/main/files/univention-keycloak#L1456

So this bug report is about
* firstname (which currently is mapped from LDAP `cn`)
* email (which currently is mapped from LDAP `mail`)

Now, I understand that LDAP `mail` is just informative (e.g. for address books) and
`mailPrimaryAddress` is the functional attribute and that may be what you actually want.
But then you may need to also consider how to map `mailAlternativeAddress`.
* Is it a hard requirement to map LDAP:`mailPrimaryAddress` to Keycloak:`email`?
* What do you want to achieve exactly?

Comment 2 Thorsten

2022-11-02 07:31:32 CET

Ok, let's skip the _uid / _entryuuid mappers, as they are there already. 

email: Some components want an email claim in e.g. their OIDC token. To ensure the email address is set my understanding of UCS is, that you would enforce 'mailPrimaryAddress' to be mandatory on user creation. It'll be queried for in the user create wizard. This attribute is also the main mail attribute for the UCS mail stack and can be used for user account identification in the UI (e.g. logging in or resetting password). So from my perspective it would make much more sense to map this attribute for the user's email address rather than the ldap `mail`. Of course there could be use cases requiring the mapping of `mail` or even `mailAlternativeAddress` but these still could be customized in Keycloak. On the other hand: Feel free the have these also mapped by default.

firstname: This should be mapped to `givenName` instead `cn`, correct?