Hi Thomas, On 15/01/2019 12:32, Thomas Darimont wrote: > Hello, > > currently, Keycloak (up to 4.8.2) does not handle the case where a user is > deleted in the federated user-store when the built-in LDAP / AD federation > provider is used. > > The relevant code is located within the LDAPStorageProviderFactory: > https://github.com/keycloak/keycloak/blob/c4a46a5591471893db8428a5707c2d9... > > There is a TODO which reads: > // TODO: Remove all existing Keycloak users, which have federation links, > but are not in LDAP. Perhaps don't check users, which were just added or > updated during this sync? > > I wonder what would be the right thing to do in this case.. > If the federated user-store dictates the truth, then IMHO the right thing > to do would be to also delete the user that is associated with the > user-storage provider federation link in Keycloak, if the linked AD / LDAP > user was deleted. yes, when you click the "Sync users" button, the users, which were deleted in LDAP, won't be directly deleted in Keycloak. However when you do any action in Keycloak related to that particular user (EG. attempt to login as that user or search the user from admin console), then user will be deleted from Keycloak DB and can't be seen in Keycloak anymore. See UserStorageManager.importValidation and LDAPStorageProvider.validate methods. Marek > > How do you handle this situation in your systems? > > Cheers, > Thomas > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user