On 12/5/16 5:01 AM, Marek Posolda wrote:
On 02/12/16 15:26, Bill Burke wrote:
> Providers are supposed to throw a ReadOnlyException in this scenario. I
> don't know if the LDAP provider handles this well. I was a bit confused
> on how it worked, it seems like if a mapper is read-only, it allows you
> to edit the change in the import. Basically unsynced mode.
Yes, the current read-only mode for GroupMapper is defacto "unsynced".
It allows you to add new group memberships, but those memberships are
saved in Keycloak DB, not in LDAP itself. So the group membership is
the merge of memberships from DB and from LDAP. Removing group
membership, which is saved in LDAP throws an exception.
I am going to add new mode "read-only" and rename the current
read-only mode to "unsynced" to be better aligned with the modes for
userStorage. Created
https://issues.jboss.org/browse/KEYCLOAK-4025
Don't forget to edit the migration script to handle this.