5:09 p.m.
Hi,
I've pushed support for bulk sync of users from external store (like
LDAP) to local store. Some summary of changes:
- Added 2 new methods to UserFederationProviderFactory. Method
syncAllUsers (For sync all users from external store to local store) and
syncChangedUsers (sync just users, which were changed. Needs that
external store has support for changelogs)
- Implementation for LDAP which allows both "full" and "changed" sync.
It's possible to track users, which were created or updated on LDAP
server since some specified time. Unfortunately not easily possible to
track removed LDAP users
- Support for periodic sync. You can specify period for each
FederationProvider how often it should do syncAllUsers and how often
syncChangedUsers. It's possible to specify different period for each
UserFederationProviderModel so for example realm1 can sync from Active
Directory once per day where realm2 can sync from OpenDS LDAP just one
per week etc. Also if you update or delete UserFederationProviderModel,
sync task will be updated/cancelled as well (I've added to BasicTimer
support for cancelling of previously scheduled tasks)
Remaining work:
* Support in admin console. I plan to add buttons, which will allow
admin to trigger either syncAllUsers or syncChangedUsers from admin
console. Also new options to specify periods for fullSync and
"changedSync" . For LDAP, I will need to add option for batch size
(Number of LDAP users to be downloaded per each batch (page). Each batch
is processed in separate transaction) .
* For now, I've added just sync from external store to Keycloak. Do we
need 2 ways sync? For example if people have WRITABLE mode for their
Federation Provider, then changes to particular user done by Keycloak
are immediatelly written to 3rd party store anyway?
* As I mentioned the syncChangedUsers for LDAP is able to track created
and updated LDAP users but not removed. I wonder if it's good idea that
during full sync, Keycloak will check if all local users with LDAP links
are still valid and delete those, which are not? Or is it ok to just
rely on FederationProvider to handle this?
* Sync/Federation of roles? Right now both FederationProvider and Sync
is doing just syncing of users, but not roles or role mappings. I wonder
that maybe people probably also want to sync their LDAP roles into
Keycloak and also role mappings too. This might be quite tricky though
as Federation just deals with UserProvider, but syncing roles from LDAP
will require some updates to RealmProvider too. Probably not doable for
1.0.Final though...
Marek
9:26 a.m.
Great stuff.
On 8/10/2014 6:09 PM, Marek Posolda wrote:
Hi,
I've pushed support for bulk sync of users from external store (like
LDAP) to local store. Some summary of changes:
- Added 2 new methods to UserFederationProviderFactory. Method
syncAllUsers (For sync all users from external store to local store) and
syncChangedUsers (sync just users, which were changed. Needs that
external store has support for changelogs)
- Implementation for LDAP which allows both "full" and "changed"
sync.
It's possible to track users, which were created or updated on LDAP
server since some specified time. Unfortunately not easily possible to
track removed LDAP users
- Support for periodic sync. You can specify period for each
FederationProvider how often it should do syncAllUsers and how often
syncChangedUsers. It's possible to specify different period for each
UserFederationProviderModel so for example realm1 can sync from Active
Directory once per day where realm2 can sync from OpenDS LDAP just one
per week etc. Also if you update or delete UserFederationProviderModel,
sync task will be updated/cancelled as well (I've added to BasicTimer
support for cancelling of previously scheduled tasks)
Remaining work:
* Support in admin console. I plan to add buttons, which will allow
admin to trigger either syncAllUsers or syncChangedUsers from admin
console. Also new options to specify periods for fullSync and
"changedSync" . For LDAP, I will need to add option for batch size
(Number of LDAP users to be downloaded per each batch (page). Each batch
is processed in separate transaction) .
* For now, I've added just sync from external store to Keycloak. Do we
need 2 ways sync? For example if people have WRITABLE mode for their
Federation Provider, then changes to particular user done by Keycloak
are immediatelly written to 3rd party store anyway?
* As I mentioned the syncChangedUsers for LDAP is able to track created
and updated LDAP users but not removed. I wonder if it's good idea that
during full sync, Keycloak will check if all local users with LDAP links
are still valid and delete those, which are not? Or is it ok to just
rely on FederationProvider to handle this?
* Sync/Federation of roles? Right now both FederationProvider and Sync
is doing just syncing of users, but not roles or role mappings. I wonder
that maybe people probably also want to sync their LDAP roles into
Keycloak and also role mappings too. This might be quite tricky though
as Federation just deals with UserProvider, but syncing roles from LDAP
will require some updates to RealmProvider too. Probably not doable for
1.0.Final though...
Just create tasks for stuff for 1.1. We'll wait for feedback on these
LDAP features from community. We need to start closing out our JIRAs
for RC-1 and 1.0.Final.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
12:24 p.m.
I've pushed the support for configuration in admin console and created
JIRAs for 1.1 for rest of the tasks (2 ways sync, roles sync, verifying
removed users during LDAP sync)
Marek
On 11.8.2014 16:26, Bill Burke wrote:
Just create tasks for stuff for 1.1. We'll wait for feedback on
these
LDAP features from community. We need to start closing out our JIRAs
for RC-1 and 1.0.Final.
3745
days inactive
3747
days old
2 comments
2 participants
participants (2)
-
Bill Burke -
Marek Posolda