Re: [keycloak-dev] federation commited need feedback

On 24.7.2014 15:21, Bill Burke wrote: > > > On 7/24/2014 5:31 AM, Marek Posolda wrote: >> Great stuff, some feedback inline >> >> On 23.7.2014 23:33, Bill Burke wrote: >>> First iteration is commited. I still have a lot to do. >>> >>> * AuthenticationProvider currently co-exists with Federation. I will >>> delete it after the review of FederationProvider. >>> * UserModel is proxied. Some updates delegated to LDAP. Need to >>> expand. >>> * Still need to do admin console UI for federation >>> * Still need to implement search and other queries for LDAP >>> * Still need to test disjoint credential type storage. >>> >>> Feedback on unimplemented features for LDAP: >>> * registration supported switch. >>> * Importing username and email will be required. Everything else will >>> be optional. That cool? >> yeah. Not directly related but I wonder if federationLink on UserModel >> is sufficient? For example if user "john" is deleted in LDAP and then >> user with same username "john" is added again to LDAP, it's defacto >> different user but the Keycloak user "john" will be linked to the "new" >> LDAP john. Hence AuthLinkModel had link to provider and also uuid of >> user from LDAP. > > This is an implementation detail and shouldn't really be exposed > through the Model API. Ok, but how you would handle the case when user "john" is deleted in LDAP and then different user with same username "john" created again? Current LDAPFederationProvider will treat them in Keycloak as same user even if they are not.

> I haven't actually tested or even executed searches yet. Thanks for > pointing outthe bugs. I don't know if bug is correct word. IMO Federation+pagination can't never properly work (without syncing all LDAP users into local storage first). I would be happy if I am wrong:-)