[keycloak-dev] Groups on SSSD Federation provider

Bruno Oliveira bruno at abstractj.org
Thu Dec 8 07:22:27 EST 2016

On 2016-12-08, Marek Posolda wrote:
> Yes, the thing is that we don't have anything like federation of groups or
> roles. And not sure if we need that as it will be lots of overhead and
> corner cases around this IMO.
> My vote is something like your solution 2. Maybe the group can have
> attribute like "userStorage.<storageID>.id", which will contain the
> identificator of particular group specific to particular userStorage
> provider. In case of LDAP, it will be either LDAP UUID or LDAP DN of that
> group. In case of SSSD probably something similar?

+1 Let's do this

> Note: I think we need the "storageID" element in the attribute name too as
> single Keycloak group "group1" can be used in group mappings of users from
> more userStorage providers.
> Marek
> On 08/12/16 02:01, Bruno Oliveira wrote:
> > > If you're talking about the actual groups changing (their names or
> > > >whatever), that's a similar problem we have with our regular LDAP adapter.
> > > >
> > That's exactly what I meant.  It's a problem that from my undestanding we
> > don't have a
> > solution now. At the same time, I'm afraid that people start to change
> > groups' name
> > and create several mismatches between KC database and IPA. For example:
> >
> > group1 coming from IPA, is edited to group2 on Keycloak. On the next login,
> > SSSD federation
> > identifies that group1 does not exist and try to synchronize it again. Now
> > we have 2 groups.


PGP: 0x84DC9914

More information about the keycloak-dev mailing list