<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif;">
<div>Active Directory sets a max page size by default of 1000 entries. I’m seeing my READ_ONLY LDAP connection only ever returning a maximum of 1000 groups from LDAP . Is it supposed to support pagination?</div>
<div><br>
</div>
<div>The method seeing this limit is in GroupLDAPFederationMapper.java:</div>
<div>
<pre style="background-color:#2b2b2b;color:#a9b7c6;font-family:'Menlo';font-size:9.0pt;"><span style="color:#cc7832;">public </span><span style="background-color:#344134;">UserFederationSyncResult</span> <span style="color:#ffc66d;">syncDataFromFederationProviderToKeycloak</span>() {<br></pre>
</div>
<div>LDAPQuery.java method</div>
<div>
<pre style="background-color:#2b2b2b;color:#a9b7c6;font-family:'Menlo';font-size:9.0pt;"><span style="color:#cc7832;">public </span>List<LDAPObject> <span style="background-color:#344134;">getResultList</span>() {<br></pre>
</div>
<div>Calls LDAPQuery.java fetchQueryResults()</div>
<div><br>
</div>
<div>Which has this condition to check for pagination:</div>
<div>
<pre style="background-color:#2b2b2b;color:#a9b7c6;font-family:'Menlo';font-size:9.0pt;"><span style="color:#cc7832;">if </span>(getConfig().isPagination() && <span style="background-color:#344134;">identityQuery</span>.getLimit() > <span style="color:#6897bb;">0</span>) {<br></pre>
</div>
<div>I have pagination set to True, but the identityQuery has a limit set to 0, so it never enters the pagination branch. Am I missing something about how to configure the group mapper to support pagination to fetch more than 1000 entries? </div>
<div><br>
</div>
<div>What this causes right now is for Keycloak to not see a user as a member of a group that they are a member of because many groups beyond the 1000 have not been synchronized into Keycloak.</div>
<div><br>
</div>
<div>I wonder if it would be better to support a Just-in-Time synchronization of just the groups that users are members of rather than syncing all groups and trying to do a union between the user groups and LDAP groups? I’d love to not have every group in
the system anyhow as it gets really unwieldy in the UI.</div>
<div><br>
</div>
<div>
<div id="MAC_OUTLOOK_SIGNATURE">
<div style="font-size: 14px;">
<div>-Jason</div>
</div>
<div style="font-size: 14px;"><br>
</div>
<div>
<p class="MsoNormal" style="font-size: 11pt; margin: 0in 0in 0.0001pt; background-color: white;">
<b><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(23, 54, 93);">Jason Axley</span></b></p>
<p class="MsoNormal" style="margin: 0in 0in 0.0001pt; background-color: white;"><span style="font-family: Arial, sans-serif; color: rgb(227, 108, 10);"><font size="2">Sr. Security Engineer, Expedia Worldwide Engineering Team<o:p></o:p></font></span></p>
<p class="MsoNormal" style="font-size: 11pt; margin: 0in 0in 0.0001pt;"><span style="font-size: 8pt; color: rgb(31, 73, 125);">425-679-4157 (o) | 206-484-2778 (m) | 206-55-AXLEY (gv)<o:p></o:p></span></p>
<p class="MsoNormal" style="font-size: 11pt; margin: 0in 0in 0.0001pt;"><span style="font-size: 8pt; color: rgb(31, 73, 125);">333 108th Ave NE, 9S-282, Bellevue, WA 98004</span></p>
<p class="MsoNormal" style="font-size: 11pt; margin: 0in 0in 0.0001pt;"><span style="font-size: 8pt; color: rgb(31, 73, 125);"><a href="https://confluence/display/POS/EWE+Security">EWE Security Wiki</a></span></p>
</div>
</div>
</div>
</body>
</html>