<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:"Times New Roman \, serif";
panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F4E79;}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle23
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor="white" lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p><span style="font-size:9.0pt;font-family:"Arial","sans-serif"">Classification: INTERNAL<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">I meant the Authorization features that have an auto-complete search on pages like Evaluate (under Authorization) and Add Policy User Based.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">For e.g.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><img width="830" height="382" id="Picture_x0020_1" src="cid:image001.png@01D1EE8A.A1B86990" alt="cid:image001.png@01D1EE8A.A1B86990"><span style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">If I just access this page, without initiating a search by typing something in Users, a call is made to /auth/admin/realms/servlet-authz/users, which loads all users<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Here’s a snippet of the response which shows 898 users returned.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><img width="678" height="725" id="Picture_x0020_2" src="cid:image002.png@01D1EE8A.DE2EC680" alt="cid:image002.png@01D1EE8A.DE2EC680"><span style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">I believe this user data should be fetched only based on a search criteria, and that too from the SQL cache, instead of going to AD.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Regards, Ushanas.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="color:windowtext">From:</span></b><span style="color:windowtext"> Bill Burke [mailto:bburke@redhat.com]
<br>
<b>Sent:</b> Thursday, August 04, 2016 7:46 PM<br>
<b>To:</b> Ushanas Shastri; keycloak-user@lists.jboss.org<br>
<b>Subject:</b> Re: [keycloak-user] Keycloak goes to AD to fetch users every page load, does not use local store.<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p>Again, are you just talking about the Admin Console? Please list exactly what actions load thousands of users.
<o:p></o:p></p>
<p>* IN the admin console Users page, if you search for a user, LDAP will be queried once by username, email, or first+last name depending on the format of the search string.<o:p></o:p></p>
<p>* View All Users will *NOT* query LDAP. It will only show imported users aka users that have already be imported from LDAP.<o:p></o:p></p>
<p>I'm not sure about the new Authorization stuff. Is this what you mean by the Evaluation screen or in the User base Policy?
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On 8/4/16 10:05 AM, Ushanas Shastri wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p><span style="font-size:9.0pt;font-family:"Arial","sans-serif"">Classification: INTERNAL</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">Not just when I manage Users.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">Even in the Evaluation screen or in the User based Policy (any place we show a list of users), on page load, all users are fetched.
</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">Even if users have to be queries from all providers, shouldn’t we wait for the user to enter a search criteria, and only then query based on that search criteria? At the moment, if I have a 1000 users in AD,
on each page load 1000 users are fetched from AD, without even me attempting a search.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">Regards, Ushanas.</span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="color:windowtext">From:</span></b><span style="color:windowtext">
<a href="mailto:keycloak-user-bounces@lists.jboss.org">keycloak-user-bounces@lists.jboss.org</a> [<a href="mailto:keycloak-user-bounces@lists.jboss.org">mailto:keycloak-user-bounces@lists.jboss.org</a>]
<b>On Behalf Of </b>Bill Burke<br>
<b>Sent:</b> Thursday, August 04, 2016 6:50 PM<br>
<b>To:</b> <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<b>Subject:</b> Re: [keycloak-user] Keycloak goes to AD to fetch users every page load, does not use local store.</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p>You mean when you manage the users from the Admin Console? The searchbox is meant to be a general pattern and is equivalent to a LIKE clause in RDBMS. So this means all providers must be queried.
<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<p class="MsoNormal">On 8/4/16 7:54 AM, Ushanas Shastri wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p id="janusNET.janusSEAL.Outlook.ProtectiveMarking.Body.Prefix"><span style="font-size:9.0pt;font-family:"Arial","sans-serif"">Classification: INTERNAL</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F4E79">Hello,</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F4E79"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F4E79">We have Keycloak setup with SQL Server as a persistent store, and we have User Federation enabled with Microsoft Active Directory.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F4E79"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F4E79">Why does Keycloak go back to querying AD on every page load (Manage-> Users or the Evaluate tab in Authorization)? Should it not get a list of users from the local SQL store only?</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F4E79"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F4E79">I’m seeing that on the page load, Keycloak gets a list of all users from AD. Considering we have a large number of users, this is time consuming. Don’t know if it matters, but we do have an AD filter.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F4E79"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F4E79">Regards, Ushanas.</span><o:p></o:p></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt">Viteos Fund Services Ltd |
</span></b><a href="http://www.viteosfundservices.com/" target="_blank"><span style="font-size:10.0pt;color:blue">www.viteos.com</span></a><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><b><span style="font-size:10.0pt">Direct :</span></b><span style="font-size:10.0pt"> +91-22-61082230 | US : +1- 888-821-7561 extn 240</span><o:p></o:p></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt">Cell :</span></b><span style="font-size:10.0pt"> +91-9820225580</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt">Email : <a href="mailto:ushanas.shastri@viteos.com">
<span style="color:blue">ushanas.shastri@viteos.com</span></a></span><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p>This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mis-transmission. If you receive this message in error, please immediatelydelete
it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Viteos Capital Market
Services Ltd.and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized
to state them to be the views of any such entit.<o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:12.0pt;font-family:"Times New Roman , serif","serif""><br>
<br>
</span><o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>keycloak-user mailing list<o:p></o:p></pre>
<pre><a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><o:p></o:p></pre>
<pre><a href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman , serif","serif""> </span><o:p></o:p></p>
<p>This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mis-transmission. If you receive this message in error, please immediatelydelete
it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Viteos Capital Market
Services Ltd.and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized
to state them to be the views of any such entit.<o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><o:p> </o:p></span></p>
</div>
<P>This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mis-transmission. If you receive this message in error, please immediatelydelete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Viteos Capital Market Services Ltd.and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entit.</P></body>
</html>