[keycloak-dev] LDAP read-only was Re: Federation Storage: read-only groups
bburke at redhat.com
Mon Dec 5 10:29:17 EST 2016
On 12/5/16 5:01 AM, Marek Posolda wrote:
> On 02/12/16 15:26, Bill Burke wrote:
>> Providers are supposed to throw a ReadOnlyException in this scenario. I
>> don't know if the LDAP provider handles this well. I was a bit confused
>> on how it worked, it seems like if a mapper is read-only, it allows you
>> to edit the change in the import. Basically unsynced mode.
> Yes, the current read-only mode for GroupMapper is defacto "unsynced".
> It allows you to add new group memberships, but those memberships are
> saved in Keycloak DB, not in LDAP itself. So the group membership is
> the merge of memberships from DB and from LDAP. Removing group
> membership, which is saved in LDAP throws an exception.
> I am going to add new mode "read-only" and rename the current
> read-only mode to "unsynced" to be better aligned with the modes for
> userStorage. Created https://issues.jboss.org/browse/KEYCLOAK-4025
Don't forget to edit the migration script to handle this.
More information about the keycloak-dev