Re: [keycloak-user] User federation via AD/LDAP - how to handle deleted users?
Hi Thomas,
On 15/01/2019 12:32, Thomas Darimont wrote:
Hello,
currently, Keycloak (up to 4.8.2) does not handle the case where a user is
deleted in the federated user-store when the built-in LDAP / AD federation
provider is used.
The relevant code is located within the LDAPStorageProviderFactory:
https://github.com/keycloak/keycloak/blob/c4a46a5591471893db8428a5707c2d9...
There is a TODO which reads:
// TODO: Remove all existing Keycloak users, which have federation links,
but are not in LDAP. Perhaps don't check users, which were just added or
updated during this sync?
I wonder what would be the right thing to do in this case..
If the federated user-store dictates the truth, then IMHO the right thing
to do would be to also delete the user that is associated with the
user-storage provider federation link in Keycloak, if the linked AD / LDAP
user was deleted.
yes, when you click the "Sync users" button, the users, which were
deleted in LDAP, won't be directly deleted in Keycloak. However when you
do any action in Keycloak related to that particular user (EG. attempt
to login as that user or search the user from admin console), then user
will be deleted from Keycloak DB and can't be seen in Keycloak anymore.
See UserStorageManager.importValidation and LDAPStorageProvider.validate
methods.
Marek
How do you handle this situation in your systems?
Cheers,
Thomas
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user