<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 02/03/16 13:48, Stian Thorgersen
wrote:<br>
</div>
<blockquote
cite="mid:CAJgngAeQmAYA_XTzkorVqU9pqBpK_G=UVqqQUjNO=Ej0am9yCg@mail.gmail.com"
type="cite">
<div dir="ltr">As it stands Keycloak syncs this to its own
database and as the export is a dump of the database it wouldn't
work to remove it. In the future we are planning on providing an
option to use LDAP without syncing to the Keycloak database.
It'll be a while to we get to it though.
<div><br>
</div>
<div>With regards to the deletion of groups synced from LDAP I'm
not sure how we do that for roles either, I believe the roles
remain as well. Maybe Marek can comment on this?</div>
</div>
</blockquote>
Yeah, both groups and roles currently remain. You can create JIRA to
request removing them, however not sure when it will be done.
Currently there are some limitations like:<br>
<br>
* We don't have any proper federation SPI for roles or groups. So we
just create roles/groups from LDAP but we don't track which
roles/groups belong to LDAP. This would require adding some
attribute like "federationLink" to both roles and groups. Or at
least some generic attribute (accessible via
setAttribute/getAttribute - but this won't work for roles as
RoleModel don't have attributes ATM)<br>
<br>
* There is no easy way to track roles/groups removed from LDAP. It
may require query all groups from Keycloak DB and doublecheck if
particular group still exists in LDAP. Similarly during sync of
users, we don't currently remove users, which were removed from LDAP
in the meantime (User is deleted later once it's queried by
Keycloak). There is easy and generic way to send query to LDAP like
"Return all users (groups,roles) created or modified since
2015-02-15 10:00:00" but there is no query to track removed objects.
Some LDAP servers support changelogs though, but this is vendor
specific AFAIK<br>
<br>
* Finally there are various other corner cases, so automatically
deleting synced roles/groups is maybe not a good idea anyway. Will
require to be configurable IMO<br>
<br>
Btv. If you quickly want removing groups, you can create subclass of
GroupLDAPFederationMapper and override method
"syncDataFromFederationProviderToKeycloak()" . You don't need to
deal with corner cases as you can do it in best way according to
requirements of your deployment.<br>
<br>
<meta http-equiv="content-type" content="text/html;
charset=windows-1252">
Marek<br>
<br>
<blockquote
cite="mid:CAJgngAeQmAYA_XTzkorVqU9pqBpK_G=UVqqQUjNO=Ej0am9yCg@mail.gmail.com"
type="cite">
<div class="gmail_extra">
<div class="gmail_quote">On 2 March 2016 at 13:33, Edgar Vonk -
Info.nl <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:Edgar@info.nl" target="_blank">Edgar@info.nl</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word">
Hi Stian,
<div><br>
</div>
<div>I understand. And typically this would indeed by what
you want. However in our specific case groups are not
part of our realm data as such but belong to our
run-time data and are managed in exactly the same way as
our users, role mappings and group mappings. But I guess
you cannot cater for all needs so it’s ok.</div>
<div><br>
</div>
<div>Another, probably related thing, is that with the
LDAP group synching (using the user federation group
mapper) groups synched from LDAP to Keycloak are never
removed from Keycloak. When a group is deleted from LDAP
and the sync is done again the group remains in
Keycloak. Not what you want but I guess the issue is
that Keycloak cannot make the distinction between a
group synched from LDAP versus a group created from
Keycloak itself? The LDAP group mapping is set up quite
different from the user synching of course.</div>
<div><br>
</div>
<div>cheers</div>
<div>
<div class="h5">
<div><br>
<div>
<blockquote type="cite">
<div>On 02 Mar 2016, at 13:25, Stian Thorgersen
<<a moz-do-not-send="true"
href="mailto:sthorger@redhat.com"
target="_blank">sthorger@redhat.com</a>>
wrote:</div>
<br>
<div>
<div dir="ltr">Roles and groups should be
exported to the realm export, while role
mappings and group mappings should be
exported to the user export.</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 2 March 2016 at
13:15, Edgar Vonk - <a
moz-do-not-send="true"
href="http://info.nl" target="_blank">
Info.nl</a> <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:Edgar@info.nl"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:Edgar@info.nl">Edgar@info.nl</a></a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex">
Hi,<br>
<br>
We notice that when we export our custom
realm to a JSON file (to a directory)
that this file also contains all User
Groups. We do not want this as we
synchronise these User Groups from
AD/LDAP just like our users. We want to
have realm configuration in the realm
JSON file only and not any ‘run-time’
managed data such as users and user
groups.<br>
<br>
Currently only users are exported to a
different JSON file (<a
moz-do-not-send="true"
href="http://keycloak.github.io/docs/userguide/keycloak-server/html/export-import.html"
rel="noreferrer" target="_blank"><a class="moz-txt-link-freetext" href="http://keycloak.github.io/docs/userguide/keycloak-server/html/export-import.html">http://keycloak.github.io/docs/userguide/keycloak-server/html/export-import.html</a></a>)
but groups are not. Does it make sense
to create a feature request to also
export user groups separately?<br>
<br>
We have hundreds of groups in AD/LDAP
which we sync to Keycloak so we really
do not want these in the realm JSON.<br>
<br>
cheers<br>
<br>
Edgar<br>
<br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
target="_blank">keycloak-user@lists.jboss.org</a><br>
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></blockquote>
</div>
<br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-user mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</body>
</html>