[keycloak-dev] LDAP read-only was Re: Federation Storage: read-only groups

Bill Burke bburke at redhat.com
Mon Dec 5 10:29:17 EST 2016

On 12/5/16 5:01 AM, Marek Posolda wrote:
> On 02/12/16 15:26, Bill Burke wrote:
>> Providers are supposed to throw a ReadOnlyException in this scenario.  I
>> don't know if the LDAP provider handles this well.  I was a bit confused
>> on how it worked, it seems like if a mapper is read-only, it allows you
>> to edit the change in the import. Basically unsynced mode.
> Yes, the current read-only mode for GroupMapper is defacto "unsynced". 
> It allows you to add new group memberships, but those memberships are 
> saved in Keycloak DB, not in LDAP itself. So the group membership is 
> the merge of memberships from DB and from LDAP. Removing group 
> membership, which is saved in LDAP throws an exception.
> I am going to add new mode "read-only" and rename the current 
> read-only mode to "unsynced" to be better aligned with the modes for 
> userStorage. Created https://issues.jboss.org/browse/KEYCLOAK-4025

Don't forget to edit the migration script to handle this.

More information about the keycloak-dev mailing list