Sync Keycloak user ID (or a random UUID) as an independent attribute into LDAP

Hi,
I would like to generate a UUID (such as “597ae2f6-16a6-1027-98f4-d28b5365dc14” for example) or better use the existing user id in Keycloak to synchronize it as a separate attribute into my OpenLDAP server. Idea is to have another unique identifier in order to not rely on email addresses or nicknames in LDAP. (We don’t use Keycloak usernames at all.)

2021-04-26_18h06_36660×526 23.3 KB

When using “id” as “User Model Attribute” in the LDAP Mapper configuration, it results in the following error:

13:55:57,974 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-27) Uncaught server error: java.lang.UnsupportedOperationException: Property interface org.keycloak.models.UserModel.id is read only, as there is no setter method.

Since I am not so experienced with developing or reading Java code: Is there another way to synchronize the user ID into Keycloak or is there somehow a helper function like “${RANDOM}” like for hardcoded-ldap-attribute-mapper types for creating random UUIDs?

Thanks in advance!

Greets,
Daniel

Hey guys, anyone with an idea how to solve my problem?

just bumping thread to see if others have better idea

i suppose you know, but openldap already has entryUUID. while not synced with keycloak’s user id, it may offer the “UUID in LDAP” requirement you need.

on the federation settings, for example, you could tie the UUID attribute to entryUUID vs cn, email, etc. which may change.

$0.02

I run into the same problem by using keycloak id attribute to generate stable DN’s for ldap.

So I defined the uid attribute as the RDN ldap attribute and created a user-attribute-ldap-mapper for mapping the keycloak id and the uid ldap attribute.

Is there any good solution for this use case?