Re: [keycloak-user] Keycloak goes to AD to fetch users every page load, does not use local store.

Regarding the AuthZ UI, I've created https://issues.jboss.org/browse/KEYCLOAK-3398. For the user policy, we are loading *all* users when the page is loaded. I will fix this and also other parts of the UI where data is being eager loaded. ----- Original Message ----- From: "Bill Burke" <bburke(a)redhat.com&gt; To: "Ushanas Shastri" <ushanas.shastri(a)viteos.com&gt;, keycloak-user(a)lists.jboss.org Sent: Thursday, August 4, 2016 11:16:16 AM Subject: Re: [keycloak-user] Keycloak goes to AD to fetch users every page load, does not use local store. Again, are you just talking about the Admin Console? Please list exactly what actions load thousands of users. * IN the admin console Users page, if you search for a user, LDAP will be queried once by username, email, or first+last name depending on the format of the search string. * View All Users will *NOT* query LDAP. It will only show imported users aka users that have already be imported from LDAP. I'm not sure about the new Authorization stuff. Is this what you mean by the Evaluation screen or in the User base Policy? On 8/4/16 10:05 AM, Ushanas Shastri wrote: Classification: INTERNAL Not just when I manage Users. Even in the Evaluation screen or in the User based Policy (any place we show a list of users), on page load, all users are fetched. Even if users have to be queries from all providers, shouldn’t we wait for the user to enter a search criteria, and only then query based on that search criteria? At the moment, if I have a 1000 users in AD, on each page load 1000 users are fetched from AD, without even me attempting a search. Regards, Ushanas. From: keycloak-user-bounces(a)lists.jboss.org [ mailto:keycloak-user-bounces@lists.jboss.org ] On Behalf Of Bill Burke Sent: Thursday, August 04, 2016 6:50 PM To: keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] Keycloak goes to AD to fetch users every page load, does not use local store. You mean when you manage the users from the Admin Console? The searchbox is meant to be a general pattern and is equivalent to a LIKE clause in RDBMS. So this means all providers must be queried. On 8/4/16 7:54 AM, Ushanas Shastri wrote: Classification: INTERNAL Hello, We have Keycloak setup with SQL Server as a persistent store, and we have User Federation enabled with Microsoft Active Directory. Why does Keycloak go back to querying AD on every page load (Manage-> Users or the Evaluate tab in Authorization)? Should it not get a list of users from the local SQL store only? I’m seeing that on the page load, Keycloak gets a list of all users from AD. Considering we have a large number of users, this is time consuming. Don’t know if it matters, but we do have an AD filter. Regards, Ushanas. Viteos Fund Services Ltd | www.viteos.com Direct : +91-22-61082230 | US : +1- 888-821-7561 extn 240 Cell : +91-9820225580 Email : ushanas.shastri(a)viteos.com This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mis-transmission. If you receive this message in error, please immediatelydelete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Viteos Capital Market Services Ltd.and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entit. _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mis-transmission. If you receive this message in error, please immediatelydelete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Viteos Capital Market Services Ltd.and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entit. _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user