Re: [keycloak-user] Key cloak LDAP pagination for fetching groups?

Awesome! Will sync that code and give it a try. -Jason From: Marek Posolda <mposolda@redhat.com<mailto:mposolda@redhat.com>> Date: Friday, March 11, 2016 at 1:38 PM To: Jason Axley <jaxley@expedia.com<mailto:jaxley@expedia.com>>, "keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>" <keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>> Subject: Re: [keycloak-user] Key cloak LDAP pagination for fetching groups? Other user created JIRA already for 1000 limit pagination [1] and I've created another for "lazy" synchronization of just groups, which user is member of (Lazy will work just if "Preserve group inheritance" of group mapper is off). PR incoming for both issues. [1] https://issues.jboss.org/browse/KEYCLOAK-2640 [2] https://issues.jboss.org/browse/KEYCLOAK-2655 Marek On 11/03/16 17:51, Jason Axley wrote: Active Directory sets a max page size by default of 1000 entries. I’m seeing my READ_ONLY LDAP connection only ever returning a maximum of 1000 groups from LDAP . Is it supposed to support pagination? The method seeing this limit is in GroupLDAPFederationMapper.java: public UserFederationSyncResult syncDataFromFederationProviderToKeycloak() { LDAPQuery.java method public List<LDAPObject> getResultList() { Calls LDAPQuery.java fetchQueryResults() Which has this condition to check for pagination: if (getConfig().isPagination() && identityQuery.getLimit() > 0) { I have pagination set to True, but the identityQuery has a limit set to 0, so it never enters the pagination branch. Am I missing something about how to configure the group mapper to support pagination to fetch more than 1000 entries? What this causes right now is for Keycloak to not see a user as a member of a group that they are a member of because many groups beyond the 1000 have not been synchronized into Keycloak. I wonder if it would be better to support a Just-in-Time synchronization of just the groups that users are members of rather than syncing all groups and trying to do a union between the user groups and LDAP groups? I’d love to not have every group in the system anyhow as it gets really unwieldy in the UI. -Jason Jason Axley Sr. Security Engineer, Expedia Worldwide Engineering Team 425-679-4157 (o) | 206-484-2778 (m) | 206-55-AXLEY (gv) 333 108th Ave NE, 9S-282, Bellevue, WA 98004 EWE Security Wiki<https://confluence/display/POS/EWE+Security> _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>https://lists.jboss.org/mailman/listinfo/keycloak-user