[keycloak-dev] Sync commited

Marek Posolda mposolda at redhat.com
Sun Aug 10 18:09:28 EDT 2014 

Hi,

I've pushed support for bulk sync of users from external store (like 
LDAP) to local store. Some summary of changes:
- Added 2 new methods to UserFederationProviderFactory. Method 
syncAllUsers (For sync all users from external store to local store) and 
syncChangedUsers (sync just users, which were changed. Needs that 
external store has support for changelogs)

- Implementation for LDAP which allows both "full" and "changed" sync. 
It's possible to track users, which were created or updated on LDAP 
server since some specified time. Unfortunately not easily possible to 
track removed LDAP users

- Support for periodic sync. You can specify period for each 
FederationProvider how often it should do syncAllUsers and how often 
syncChangedUsers. It's possible to specify different period for each 
UserFederationProviderModel so for example realm1 can sync from Active 
Directory once per day where realm2 can sync from OpenDS LDAP just one 
per week etc. Also if you update or delete UserFederationProviderModel, 
sync task will be updated/cancelled as well (I've added to BasicTimer 
support for cancelling of previously scheduled tasks)


Remaining work:
* Support in admin console. I plan to add buttons, which will allow 
admin to trigger either syncAllUsers or syncChangedUsers from admin 
console. Also new options to specify periods for fullSync and 
"changedSync" . For LDAP, I will need to add option for batch size 
(Number of LDAP users to be downloaded per each batch (page). Each batch 
is processed in separate transaction) .

* For now, I've added just sync from external store to Keycloak. Do we 
need 2 ways sync? For example if people have WRITABLE mode for their 
Federation Provider, then changes to particular user done by Keycloak 
are immediatelly written to 3rd party store anyway?

* As I mentioned the syncChangedUsers for LDAP is able to track created 
and updated LDAP users but not removed. I wonder if it's good idea that 
during full sync, Keycloak will check if all local users with LDAP links 
are still valid and delete those, which are not? Or is it ok to just 
rely on FederationProvider to handle this?

* Sync/Federation of roles? Right now both FederationProvider and Sync 
is doing just syncing of users, but not roles or role mappings. I wonder 
that maybe people probably also want to sync their LDAP roles into 
Keycloak and also role mappings too. This might be quite tricky though 
as Federation just deals with UserProvider, but syncing roles from LDAP 
will require some updates to RealmProvider too. Probably not doable for 
1.0.Final though...

Marek

More information about the keycloak-dev mailing list