Replies: 1 comment
-
|
According to RFC 5321 section 2.4 "The local-part of a mailbox MUST BE treated as case sensitive.". Thus this is actually a bug. Someone filed an issue #42373 which however has been closed "Due to lack of updates in the last 180 days this issue will be automatically closed.", even though it was only three months since the last update and less then four months since the issues has been opened. Thus, if your mail server does distinguish case in the local part, you cannot use keycloak... Keycloak does not comply with RFC 5321. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
We have keycloak 26.4.6 running with an ldap directory as user federation for authentication using the username (uid) from ldap and getting email, first and last name from the directory. Keycloak only reads the ldap and cannot write changes into the ldap. Keycloak should use the current email address from ldap at any time (in case it ever changes).
Someone has put a mixed case email address into ldap, e.g.
John.Doe@example.com. When this person logs in, after entering username and password and being successfully authenticated by ldap, keycloak shows the "Update Account Information" page.The page has three fields (which we have set required for the user profile): Email, First name, and Last name. All three fields are prefilled with the values from ldap including the mixed case mail address. All values are greyed out and cannot be modified.
When pressing the submit button it'll just takes the user back to the same page.
As far as I understand this is because we have enabled "Import Users" for the ldap user federation and set "Always Read Value From LDAP" in the Email mapper (as we want to use the current mail address in ldap at any time and don't want people to set a different mail address in keycloak but rather change it only in ldap).
If I understand correctly, Keycloak imports the email address into the database but converts it to lowercase. When the user logs in keycloak gets the mixed case mail address from ldap and doesn't find the matching account because keycloak compares the mail address case-sensitive.
I have tried to disable "Import Users" but it did not help. The user still ends up in the "Update Account Information" loop.
I have tried a couple of others things but did not get what I wanted.
What would be the correct set up for my scenario: a LDAP directory as source of information which the user cannot overwrite in the user's keycloak account?
In other words: either keycloak should always use the ldap attributes at any time or if it has to go through the keycloak database: data is always (or frequently) checked and updated against ldap. Is it possible? Or do I have to enable periodic sync to get something close?
Beta Was this translation helpful? Give feedback.
All reactions