[keycloak-user] automated Sync Keycloak Roles To LDAP

[Marek Posolda]

On 16/06/16 07:25, Arjan Schaaf wrote:
> Hi there,
>
> I’m integrating Keycloak in an environment where a have a couple of ‘legacy’ applications that allow for LDAP based external authentication, but do not support Keycloak or oauth / OpenID connect out-of-the-box.
> So I’m creating a setup where I use Keycloak as the primary repository for storing users and groups/roles, but I connect a LDAP server that is kept in sync with Keycloak and bind these applications to the LDAP service.
>
> That setup works decent enough: newly created users in keycloak are synced to LDAP and so on.
> However syncing Keycloak roles to LDAP doesn’t seem to work as convenient. I’ve created a User Federation Mapper of type Role mappings and when I use the “Sync Keycloak Roles To LDAP” button, the roles are synced with LDAP. Great!
> But when I create a new role in Keycloak I expected it to be synced automatically, just like a new Keycloak user is synced directly to LDAP. I need to use the  “Sync Keycloak Roles To LDAP” manually again to update LDAP. Is this how it is designed to work or is there are way to update LDAP directly after changing something to Keycloak roles?
yes, ATM it's not done immediately. Feel free to create JIRA for this.

Currently to propagate creation of role to LDAP, you need to either:
- Click "Sync Keycloak role to LDAP" as you mentioned
- In keycloak admin console, assign some LDAP mapped user to this role. 
In this case, role will be created in LDAP and role mapping for the user 
will created as well. Is it sufficient for your usecase?

Marek
>
>
> Cheers,
> Arjan
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user