<div dir="ltr">As it stands Keycloak syncs this to its own database and as the export is a dump of the database it wouldn't work to remove it. In the future we are planning on providing an option to use LDAP without syncing to the Keycloak database. It'll be a while to we get to it though.<div><br></div><div>With regards to the deletion of groups synced from LDAP I'm not sure how we do that for roles either, I believe the roles remain as well. Maybe Marek can comment on this?</div></div><div class="gmail_extra"><br><div class="gmail_quote">On 2 March 2016 at 13:33, Edgar Vonk - Info.nl <span dir="ltr"><<a href="mailto:Edgar@info.nl" target="_blank">Edgar@info.nl</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word">
Hi Stian,
<div><br>
</div>
<div>I understand. And typically this would indeed by what you want. However in our specific case groups are not part of our realm data as such but belong to our run-time data and are managed in exactly the same way as our users, role mappings and
group mappings. But I guess you cannot cater for all needs so it’s ok.</div>
<div><br>
</div>
<div>Another, probably related thing, is that with the LDAP group synching (using the user federation group mapper) groups synched from LDAP to Keycloak are never removed from Keycloak. When a group is deleted from LDAP and the sync is done again the
group remains in Keycloak. Not what you want but I guess the issue is that Keycloak cannot make the distinction between a group synched from LDAP versus a group created from Keycloak itself? The LDAP group mapping is set up quite different from the user synching
of course.</div>
<div><br>
</div>
<div>cheers</div><div><div class="h5">
<div><br>
<div>
<blockquote type="cite">
<div>On 02 Mar 2016, at 13:25, Stian Thorgersen <<a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>> wrote:</div>
<br>
<div>
<div dir="ltr">Roles and groups should be exported to the realm export, while role mappings and group mappings should be exported to the user export.</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 2 March 2016 at 13:15, Edgar Vonk - <a href="http://info.nl" target="_blank">
Info.nl</a> <span dir="ltr"><<a href="mailto:Edgar@info.nl" target="_blank">Edgar@info.nl</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi,<br>
<br>
We notice that when we export our custom realm to a JSON file (to a directory) that this file also contains all User Groups. We do not want this as we synchronise these User Groups from AD/LDAP just like our users. We want to have realm configuration in the
realm JSON file only and not any ‘run-time’ managed data such as users and user groups.<br>
<br>
Currently only users are exported to a different JSON file (<a href="http://keycloak.github.io/docs/userguide/keycloak-server/html/export-import.html" rel="noreferrer" target="_blank">http://keycloak.github.io/docs/userguide/keycloak-server/html/export-import.html</a>)
but groups are not. Does it make sense to create a feature request to also export user groups separately?<br>
<br>
We have hundreds of groups in AD/LDAP which we sync to Keycloak so we really do not want these in the realm JSON.<br>
<br>
cheers<br>
<br>
Edgar<br>
<br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></blockquote>
</div>
<br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div></div></div>
</blockquote></div><br></div>