Re: [keycloak-dev] LDAP read-only was Re: Federation Storage: read-only groups

On 12/5/16 5:01 AM, Marek Posolda wrote: > On 02/12/16 15:26, Bill Burke wrote: >> Providers are supposed to throw a ReadOnlyException in this >> scenario. I >> don't know if the LDAP provider handles this well. I was a bit >> confused >> on how it worked, it seems like if a mapper is read-only, it allows you >> to edit the change in the import. Basically unsynced mode. > Yes, the current read-only mode for GroupMapper is defacto > "unsynced". It allows you to add new group memberships, but those > memberships are saved in Keycloak DB, not in LDAP itself. So the > group membership is the merge of memberships from DB and from LDAP. > Removing group membership, which is saved in LDAP throws an exception. > > I am going to add new mode "read-only" and rename the current > read-only mode to "unsynced" to be better aligned with the modes for > userStorage. Created https://issues.jboss.org/browse/KEYCLOAK-4025 Don't forget to edit the migration script to handle this.