我们可以为从Keycloak中的LDAP导入的用户分配领域管理客户端角色吗? realm.json文件中需要进行的更改,以使LDAP用户能够访问管理控制台。 (用户管理和查看领域)
我们正在尝试通过导入realm.json来建立基于LDAP的用户联盟,并使用与LDAP相关的配置进行配置,但不知道需要在realm.json中进行配置以分配域-管理客户端角色,例如视图用户,视图客户端和管理领域
// realm.json的片段:
{
"realm": "insight-engine",
"enabled": true,
"sslRequired": "external",
"registrationAllowed": false,
...... some more configuration
"requiredCredentials": [ "password" ],
"roles" : {
"realm" : [
{
"name": "user",
"description": "User privileges"
},
{
"name": "admin",
"description": "Administrator privileges"
}
]
},
"scopeMappings": [
{
"client": "js-console",
"roles": ["user"]
},
{
"client": "angular1",
"roles": ["user"]
}
],
"clients": [
{
"clientId": "js-console",
"enabled": true,
"publicClient": true,
"baseUrl": "/js-console",
"redirectUris": [
"/js-console/*"
],
"webOrigins": []
},
{
"clientId": "angular1",
"enabled": true,
"publicClient": true,
"baseUrl": "/",
"redirectUris": [
"*"
],
"webOrigins": []
}
],
"userFederationProviders": [
{
"displayName": "ldap",
"providerName": "ldap",
"priority": 1,
"fullSyncPeriod": -1,
"changedSyncPeriod": -1,
"config": {
"pagination" : "true",
"debug" : "false",
"searchScope" : "1",
"connectionPooling" : "true",
"usersDn" : "ou=People,dc=insight,dc=engine",
"userObjectClasses" : "inetOrgPerson, organizationalPerson",
"usernameLDAPAttribute" : "uid",
"bindDn" : "cn=Administrator,dc=insight,dc=engine",
"bindCredential" : "Cisco#321",
"rdnLDAPAttribute" : "uid",
"vendor" : "other",
"editMode" : "WRITABLE",
"uuidLDAPAttribute" : "entryUUID",
"connectionUrl" : "ldap://ldap-external-service:389",
"syncRegistrations" : "true",
"authType" : "simple"
}
}
],
"userFederationMappers" : [
{
"name" : "username",
"federationMapperType" : "user-attribute-ldap-mapper",
"federationProviderDisplayName" : "ldap-apacheds",
"config" : {
"ldap.attribute" : "uid",
"user.model.attribute" : "username",
"is.mandatory.in.ldap" : "true",
"read.only" : "false",
"always.read.value.from.ldap" : "false"
}
},
{
"name" : "first name",
"federationMapperType" : "user-attribute-ldap-mapper",
"federationProviderDisplayName" : "ldap-apacheds",
"config" : {
"ldap.attribute" : "cn",
"user.model.attribute" : "firstName",
"is.mandatory.in.ldap" : "true",
"read.only" : "false",
"always.read.value.from.ldap" : "false"
}
},
{
"name" : "creation date",
"federationMapperType" : "user-attribute-ldap-mapper",
"federationProviderDisplayName" : "ldap-apacheds",
"config" : {
"ldap.attribute" : "createTimestamp",
"user.model.attribute" : "createTimestamp",
"is.mandatory.in.ldap" : "false",
"read.only" : "true",
"always.read.value.from.ldap" : "false"
}
},
{
"name" : "modify date",
"federationMapperType" : "user-attribute-ldap-mapper",
"federationProviderDisplayName" : "ldap-apacheds",
"config" : {
"ldap.attribute" : "modifyTimestamp",
"user.model.attribute" : "modifyTimestamp",
"is.mandatory.in.ldap" : "false",
"read.only" : "true",
"always.read.value.from.ldap" : "false"
}
},
{
"name" : "realm roles",
"federationMapperType" : "role-ldap-mapper",
"federationProviderDisplayName" : "ldap-apacheds",
"config" : {
"roles.dn" : "ou=RealmRoles,dc=keycloak,dc=org",
"membership.ldap.attribute" : "member",
"role.name.ldap.attribute" : "cn",
"role.object.classes" : "groupOfNames",
"mode" : "LDAP_ONLY",
"use.realm.roles.mapping" : "true"
}
},
{
"name" : "finance roles",
"federationMapperType" : "role-ldap-mapper",
"federationProviderDisplayName" : "ldap-apacheds",
"config" : {
"roles.dn" : "ou=FinanceRoles,dc=keycloak,dc=org",
"membership.ldap.attribute" : "member",
"role.name.ldap.attribute" : "cn",
"role.object.classes" : "groupOfNames",
"mode" : "LDAP_ONLY",
"use.realm.roles.mapping" : "false",
"client.id" : "finance"
}
}
],
"clientScopeMappings": {
"account": [
{
"client": "angular",
"roles": ["view-profile"]
}
],
"realm-management": [
{
"client": "angular",
"roles": ["manage-realm", "manage-users", "manage-clients"]
}
]
}
}
基本要求是,当我们使用LDAP凭据登录到客户端时,用户应该能够从客户端访问用户管理和视图领域的客户端(即访问管理控制台)。