[keycloak-dev] LDAP read-only was Re: Federation Storage: read-only groups

Marek Posolda mposolda at redhat.com
Mon Dec 5 11:01:24 EST 2016

On 05/12/16 16:29, Bill Burke wrote:
> On 12/5/16 5:01 AM, Marek Posolda wrote:
>> On 02/12/16 15:26, Bill Burke wrote:
>>> Providers are supposed to throw a ReadOnlyException in this 
>>> scenario.  I
>>> don't know if the LDAP provider handles this well.  I was a bit 
>>> confused
>>> on how it worked, it seems like if a mapper is read-only, it allows you
>>> to edit the change in the import. Basically unsynced mode.
>> Yes, the current read-only mode for GroupMapper is defacto 
>> "unsynced". It allows you to add new group memberships, but those 
>> memberships are saved in Keycloak DB, not in LDAP itself. So the 
>> group membership is the merge of memberships from DB and from LDAP. 
>> Removing group membership, which is saved in LDAP throws an exception.
>> I am going to add new mode "read-only" and rename the current 
>> read-only mode to "unsynced" to be better aligned with the modes for 
>> userStorage. Created https://issues.jboss.org/browse/KEYCLOAK-4025
> Don't forget to edit the migration script to handle this.
Yeah, sure. I have the migration in mind.


More information about the keycloak-dev mailing list