[keycloak-user] User federation via AD/LDAP - how to handle deleted users?
Thomas Darimont
thomas.darimont at googlemail.com
Tue Jan 15 06:32:10 EST 2019
Hello,
currently, Keycloak (up to 4.8.2) does not handle the case where a user is
deleted in the federated user-store when the built-in LDAP / AD federation
provider is used.
The relevant code is located within the LDAPStorageProviderFactory:
https://github.com/keycloak/keycloak/blob/c4a46a5591471893db8428a5707c2d9547a554a3/federation/ldap/src/main/java/org/keycloak/storage/ldap/LDAPStorageProviderFactory.java#L430
There is a TODO which reads:
// TODO: Remove all existing Keycloak users, which have federation links,
but are not in LDAP. Perhaps don't check users, which were just added or
updated during this sync?
I wonder what would be the right thing to do in this case..
If the federated user-store dictates the truth, then IMHO the right thing
to do would be to also delete the user that is associated with the
user-storage provider federation link in Keycloak, if the linked AD / LDAP
user was deleted.
How do you handle this situation in your systems?
Cheers,
Thomas
More information about the keycloak-user
mailing list