I am struggling with the keycloak role-ldap-mapper. We have an Active Directory Service internally where Users can ask for roles. Roles are assigned/removed by another tool and saved into the memberOf Attribute in AD.
Keycloak imports the roles correctly at the users first login, but somehow when the user is already there, roles are updated in AD, they are not synchronized to Keycloak. I just want roles to be synchronized regularly from AD to Keycloak, not the other way around (I am not supposed to write into the AD).
Is it a Bug? Works as Designed, or am I configuring something in the wrong way?
I am running 2 instances, Version 3.1.0 and 3.4.1.
I already played around with the LDAP - periodic synchronize changed/full feature but no success.
Do I have to specify the memberOf Attribute somehow specifically to be synchronized?
Thx for help.
Solution found:
I have updated Keycloak to the newest Version (3.4.3). Now it works for me. Seems to be an issue in the previous versions.
Related
My Rundeck detail Rundeck version: 4.10.0
install type: DEB
OS Name/version: Debian 11
DB Type/version: h2
A LDAP user without a Role membership can properly login but can not see any Projects - so far fine.
How can i block such a user to Login at all?
We have one "userBaseDn" Group (userBaseDn="cn=Users,ou=PROD,dc=company,dc=com") in which all users are stored. But of course, only users in following roleBaseDn (roleBaseDn="cn=Rundeck_Admins,cn=Applications,ou=PROD,dc=company,dc=com") Group should have access to Rundeck Web UI.
I expect, only users in Group "Rundeck_Admins" can Login to Rundeck at all
Currently, you can only restrict that using an ACL policy (the user can log in but cannot view/edit/run any project/job, as you say), please take a look at this.
Alternatively, you can create a specific branch in your LDAP server only for Rundeck users.
Currently, means there will be a change on this behavior?
As far a i understand LDAP right, for a specific LADP branch in which a place users, i have to manage users twice. 1st, in user directory and 2nd in the specific Rundeck Group. For me quite unhandy...
I'm trying to create a user in Keycloak admin console, but it has effective roles that should not be there. In addition to default realm roles, each user, when created, has odd Effective Roles. And I can't understand, where they come from. Even when I delete all assigned roles, effective roles just stay there.
This does not happen usually, seems like a problem with your Keycloak setup and installation.
Have you checked the default roles at realm level? Roles shown in screenshot belong to realm-management client.
If you are using master realm, I'd suggest you to create a new realm other than master and use it.
I have a whole bunch of GMSA used throughout my org. I'm able to see through AD what machines have permissions to install the GMSA but cannot find a way to see what machines have actually gone through the Install-ADServiceAccount step to actually have the GMSA installed.
An older post How can I see if a Groupmanaged Service Account is installed with Install-ADServiceaccount? suggests usingGet-ADServiceAccount and checking the HostComputers property but I only see this populated for MSA. For GMSA it's blank.
Any ideas on how I can get this without needing to connect to each machine and running Test-ADServiceAccount for each permitted GMSA? (especially given the whole PSRemoting and network access that causes problems) A WMI/CIM query I could run would be second to actually getting the data centrally from AD.
Thanks for any help.
We are having problems with the authentication via SAML. All users who have an Active Directory user can log into Artifactory - which is not what I want.
I configured Artifactory to use two specific AD groups to allow users in, but we can't seem to get ADFS to filter those same groups
As far as I've understood Artifactory doesn't do anything with SAML authentication besides checking if ADFS says user is allowed or not allowed - is that correct?
Does anyone have experience with that kind of problem or an idea on how to solve this?
We are using Artifactory 5.2.0 at the moment
Never used Artifactory but assuming it's just a SAML SP ...
What is the format of the AD groups? What claim type? You may need a claims rule to transform the attribute to the required format.
ADFS can pass groups as Roles using "Token Groups - Unqualified Names".
Or you can set an access rule in ADFS so that access is denied if the user is not a member of a group.
I have a project with windows authentication and everything works fine. The issue i am having is with a specific user that had his AD account changed.
After account change he hasn't be able to log in. Looked into his ad account and everything looks the same as mine.
The strange thing is it worked fine in the localhost. I also haven't made any change to the IIS if that helps.
Any ideas?
Thanks
I had to recycle the pool to create the cache for LSA lookup cache, if you can't recycle the pool you can do the following:
http://support.microsoft.com/kb/946358
Found it here:
IIS Returning Old User Names to my application