From Ldap to Keycloak

Lorenz90 · July 7, 2020, 5:47pm

Hello guys,
we have a production enviroment currently authenticating with the company ldap, during the installation we left the UUID value on default, so there is currently a mapping in the db between our ldap cn and the nextcloud UUID which is used as username.

Since we are migrating all the company authentications to Keycloak we installed the oicd plugin for nextcloud but in this case the cn is used by default as username and so if someone tries to log in through keycloak he results as a new user even if he is not.

What is the easiest and least invasive way to do this migration without losing all the users data?

Thanks

4Next · February 12, 2021, 4:07pm

Hello Lorenz,

Did you find a way to migrate your users to Oidc ?
Are you using SocialLogin ?

Thanks in advance !
Michel, having the same kind of migration to Keycloak problem

Santosh.Deoria · May 5, 2021, 2:27am

Dear All,
Any luck on this please ?

Riyas · August 10, 2023, 10:37am

Hi Team,

I am also having the same issues , can anyone please help?

joergschulz · August 11, 2023, 1:47pm

in Keycloak, you will want to create a mapper for the client property sub and use username for the value. Else a cryptic number will appear.

Jose_De_Araujo · February 28, 2024, 1:35pm

I had the same trouble with an existing nextcloud instance linked to LDAP an implementation of Keyloack with Social Login.

First as @joergschulz stated you need to be sure that you have the sub attribute in the data sent in the JWT token. I mapped it to the LDAP_ID user attribute populated by the Ldap in Keycloak

Then I modified the Social Login code for my needs, actually you can implement a specific behaviour in the UID computation and it is easier than creating a new mapper for KC.

You add your changes in the ProviderService.php class line 462
Before:

$uid = $provider.'-'.$profileId;

after:

if($provider === "MyProviderName") {
            $uid = strtoupper($profileId);
        }else{
            $uid = $provider.'-'.$profileId;
        }

ProviderName is the one your set in the Social Login, that way you avoid the prefix and set to upper case the $profileId that should be LDAP_ID

Then everything works as expected

Hope it would help someone in the keycloak nextcloud ldap journey

SmallOne · February 28, 2024, 2:38pm

you should not need to change the code to use keycloak. Just a simple usermappen in keycloak itself so it send the uuid correctly as username.

Jose_De_Araujo · February 28, 2024, 3:02pm

in my case the nextcloud instance has already users coming from the Ldap and each of them have the LDAP_ID as UUID

Keycloak creates it own UUID for each user it imports from the same ldap

Social Plugin prefix the profileId with the provider name which prevents it from matching the same user and creates double entries if you let it.

This being said, I’m not saying it’s the best one but nonetheless it works for us.

dangelidaniel · July 25, 2024, 9:26am

Hi,

how did you map the LDAP_ID user attribute? I having difficulties trying to understand it

dangelidaniel · July 25, 2024, 9:58am

Figured it out

Inside the profile scope on keycloak map the LDAP_ID attribute to ldap_id

Configure the connection to map ldap_id attribute
immagine

Now the issue is that keycloak uses lowercase objectGUID while nextcloud requires uppercase objectGUID.