SSO: add information to user_info for Keycloak/LDAP user

kingfisher

We have successfully configured keycloak with mailcow nightly. Local keycloak users can log in to mailcow UI and Sogo from UI via SSO. That is a fine feature! Thank you for making this real.

We have also connected our LDAP server to keycloak. It is actually an Azure Active Directory Domain Service (AADDS) that provides an LDAP interface like an Active Directory. We have all the desired LDAP users and their respective LDAP groups in keycloak.

We have followed the setup instructions from here: https://mailcow.email/posts/2023/mailcow-idp/#ldap

We do not have a “mailboxType” attribute in our LDAP. Custom attributes cannot be added to an AADDS.

The result is that an LDAP user logging in via SSO from Mailcow UI cannot log in because the user is “unauthenicated”. From the UI log: [“login_failed”, “empty attribute mapping or missing template attribute”]

What would be an alternative way to add information to userinfo for users coming from LDAP? We would also like to add the LDAP group information. We need this for the public folder acl.

kingfisher

We solved it by adding a hardcoded mapper in the LDAP provider. That was easy.

kingfisher

Next step is to find out how to transport groups from LDAP via Keycloak to Mailcow. We need this for the public folder acl.