<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif;">
<div>
<div>
<div>Awesome! Will sync that code and give it a try.</div>
<div><br>
</div>
<div>-Jason</div>
<div>
<div id="MAC_OUTLOOK_SIGNATURE"></div>
</div>
</div>
</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:12pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span>Marek Posolda <<a href="mailto:mposolda@redhat.com">mposolda@redhat.com</a>><br>
<span style="font-weight:bold">Date: </span>Friday, March 11, 2016 at 1:38 PM<br>
<span style="font-weight:bold">To: </span>Jason Axley <<a href="mailto:jaxley@expedia.com">jaxley@expedia.com</a>>, "<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>" <<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>><br>
<span style="font-weight:bold">Subject: </span>Re: [keycloak-user] Key cloak LDAP pagination for fetching groups?<br>
</div>
<div><br>
</div>
<div>
<div bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Other user created JIRA already for 1000 limit pagination [1] and I've created another for "lazy" synchronization of just groups, which user is member of (Lazy will work just if "Preserve group inheritance" of group mapper is off).
PR incoming for both issues.<br>
<br>
[1] <a class="moz-txt-link-freetext" href="https://issues.jboss.org/browse/KEYCLOAK-2640">
https://issues.jboss.org/browse/KEYCLOAK-2640</a><br>
[2] <a class="moz-txt-link-freetext" href="https://issues.jboss.org/browse/KEYCLOAK-2655">
https://issues.jboss.org/browse/KEYCLOAK-2655</a><br>
<br>
Marek<br>
<br>
On 11/03/16 17:51, Jason Axley wrote:<br>
</div>
<blockquote cite="mid:DD5C03B6-91DE-4C76-9CD1-73B05540FC86@expedia.com" type="cite">
<div>Active Directory sets a max page size by default of 1000 entries. I’m seeing my READ_ONLY LDAP connection only ever returning a maximum of 1000 groups from LDAP . Is it supposed to support pagination?</div>
<div><br>
</div>
<div>The method seeing this limit is in GroupLDAPFederationMapper.java:</div>
<div>
<pre style="background-color:#2b2b2b;color:#a9b7c6;font-family:'Menlo';font-size:9.0pt;"><span style="color:#cc7832;">public </span><span style="background-color:#344134;">UserFederationSyncResult</span> <span style="color:#ffc66d;">syncDataFromFederationProviderToKeycloak</span>() {
</pre>
</div>
<div>LDAPQuery.java method</div>
<div>
<pre style="background-color:#2b2b2b;color:#a9b7c6;font-family:'Menlo';font-size:9.0pt;"><span style="color:#cc7832;">public </span>List<LDAPObject> <span style="background-color:#344134;">getResultList</span>() {
</pre>
</div>
<div>Calls LDAPQuery.java fetchQueryResults()</div>
<div><br>
</div>
<div>Which has this condition to check for pagination:</div>
<div>
<pre style="background-color:#2b2b2b;color:#a9b7c6;font-family:'Menlo';font-size:9.0pt;"><span style="color:#cc7832;">if </span>(getConfig().isPagination() && <span style="background-color:#344134;">identityQuery</span>.getLimit() > <span style="color:#6897bb;">0</span>) {
</pre>
</div>
<div>I have pagination set to True, but the identityQuery has a limit set to 0, so it never enters the pagination branch. Am I missing something about how to configure the group mapper to support pagination to fetch more than 1000 entries? </div>
<div><br>
</div>
<div>What this causes right now is for Keycloak to not see a user as a member of a group that they are a member of because many groups beyond the 1000 have not been synchronized into Keycloak.</div>
<div><br>
</div>
<div>I wonder if it would be better to support a Just-in-Time synchronization of just the groups that users are members of rather than syncing all groups and trying to do a union between the user groups and LDAP groups? I’d love to not have every group in
the system anyhow as it gets really unwieldy in the UI.</div>
<div><br>
</div>
<div>
<div id="">
<div style="font-size: 14px;">
<div>-Jason</div>
</div>
<div style="font-size: 14px;"><br>
</div>
<div>
<p class="MsoNormal" style="font-size: 11pt; margin: 0in 0in
0.0001pt; background-color: white;">
<b><span style="font-size: 10pt; font-family: Arial,
sans-serif; color: rgb(23, 54, 93);">Jason Axley</span></b></p>
<p class="MsoNormal" style="margin: 0in 0in 0.0001pt;
background-color: white;">
<span style="font-family: Arial,
sans-serif; color: rgb(227, 108, 10);"><font size="2">Sr. Security Engineer, Expedia Worldwide Engineering Team<o:p></o:p></font></span></p>
<p class="MsoNormal" style="font-size: 11pt; margin: 0in 0in
0.0001pt;">
<span style="font-size: 8pt; color: rgb(31, 73,
125);">425-679-4157 (o) | 206-484-2778 (m) | 206-55-AXLEY (gv)<o:p></o:p></span></p>
<p class="MsoNormal" style="font-size: 11pt; margin: 0in 0in
0.0001pt;">
<span style="font-size: 8pt; color: rgb(31, 73,
125);">333 108th Ave NE, 9S-282, Bellevue, WA 98004</span></p>
<p class="MsoNormal" style="font-size: 11pt; margin: 0in 0in
0.0001pt;">
<span style="font-size: 8pt; color: rgb(31, 73,
125);"><a moz-do-not-send="true" href="https://confluence/display/POS/EWE+Security">EWE Security Wiki</a></span></p>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset> <br>
<pre wrap="">_______________________________________________
keycloak-user mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</div>
</div>
</span>
</body>
</html>