???Hi, Thanks Simon. Does setting "Cache Policy" to "No Cache" option under "User Federation" makes any sense in this case?? as shown below? [cid:69b609f1-3662-4933-b316-29896ba797fe] Could someone explain the "Eviction" policy for user cache?? What exactly will happen??? ? Thanks & Regards, Lahari G ________________________________ From: Simon Payne <simonpayne58(a)gmail.com&gt; Sent: 16 March 2018 19:06 To: Lahari Guntha Cc: keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] Group-Mapping hi, we recently experienced similar and found it to be user cache. there is a setting in the ldap config which allows you to specify the cache value. however, i found this to take no effect and eventually set a hard eviction rate to the configuration in the standalone-ha.xml for user cache. On Fri, Mar 16, 2018 at 11:48 AM, Lahari Guntha <lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com>> wrote: Hi All, We are using keycloak of version 3.3.0.CR2. I have my Keycloak integrated with LDAP. I have configured many applications to have SSO with Keycloak. I have done all the configuration to have LDAP integration with Keycloak. I have also configured Group mappers so that groups from LDAP are also synced to LDAP. eg: Users in LDAP: "user1" Groups in LDAP: "group1","group2" When i login into one of my application that is configured to have SSO with keycloak with user "user1" that is present in group "group1"...that user entry gets shown in the Keycloak UI page and we can also see the groups mapped to it. Now I add the user "user1" into another group "group2"... But now the newly added group is not reflected when click on User> Group Mapping. Why Is this happening?? What is the solution to continuously sync the users with the groups they are present in/added newly automatically???? Thanks, Lahari =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user

?Hi, Do we ?need to reload the keycloak server after changing the standalone.xml??? Thanks & Regards, Lahari G ________________________________ From: Simon Payne <simonpayne58(a)gmail.com&gt; Sent: 23 March 2018 20:40 To: Lahari Guntha Cc: keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] Group-Mapping if you are referring to the standard entry I simply added the expiration value to the existing local-cache entry for users <local-cache name="users"> <eviction max-entries="10000" strategy="LRU"/> </local-cache> then LRU means least recently used. so it will cache 10,000 users and evict the least recently used when cache limit is reached. obviously this will only evict users if you have greater than 10,000 in your system. So in my case i changed to the following I simply added the expiration value to the existing local-cache entry for users <local-cache name="users"> <eviction max-entries="10000" strategy="LRU"/> <expiration max-idle="1200000"/> </local-cache> which will additionally expire entries after 20 minutes. full explanation can be found here https://docs.jboss.org/author/display/WFLY10/Infinispan+Subsystem On Fri, Mar 23, 2018 at 1:46 PM, Lahari Guntha <lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com>> wrote: ???Hi, Thanks Simon. Does setting "Cache Policy" to "No Cache" option under "User Federation" makes any sense in this case?? as shown below? [cid:69b609f1-3662-4933-b316-29896ba797fe] Could someone explain the "Eviction" policy for user cache?? What exactly will happen??? ? Thanks & Regards, Lahari G ________________________________ From: Simon Payne <simonpayne58@gmail.com<mailto:simonpayne58@gmail.com>> Sent: 16 March 2018 19:06 To: Lahari Guntha Cc: keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> Subject: Re: [keycloak-user] Group-Mapping hi, we recently experienced similar and found it to be user cache. there is a setting in the ldap config which allows you to specify the cache value. however, i found this to take no effect and eventually set a hard eviction rate to the configuration in the standalone-ha.xml for user cache. On Fri, Mar 16, 2018 at 11:48 AM, Lahari Guntha <lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com><mailto:lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com>>> wrote: Hi All, We are using keycloak of version 3.3.0.CR2. I have my Keycloak integrated with LDAP. I have configured many applications to have SSO with Keycloak. I have done all the configuration to have LDAP integration with Keycloak. I have also configured Group mappers so that groups from LDAP are also synced to LDAP. eg: Users in LDAP: "user1" Groups in LDAP: "group1","group2" When i login into one of my application that is configured to have SSO with keycloak with user "user1" that is present in group "group1"...that user entry gets shown in the Keycloak UI page and we can also see the groups mapped to it. Now I add the user "user1" into another group "group2"... But now the newly added group is not reflected when click on User> Group Mapping. Why Is this happening?? What is the solution to continuously sync the users with the groups they are present in/added newly automatically???? Thanks, Lahari =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>> https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user

​Hi Simon, We have our keycloak in standalone configuration. I have my keycloak running as a docker container. I loged into the container and manually changed the standalone.xml....and then restarted the server using the below command: docker exec {CONTAINER} /opt/jboss/keycloak/bin/jboss-cli.sh --connect "reload" I have all my users synced to Keycloak. Now I have an entry of a user "User1" in keycloak. This user is not present in any group in LDAP...Now I added the user "User1" in one of the group in LDAP....now since I have set the "Eviction rate"......I should get the updated group of the user that the user is recently added to in Keycloak UI when I check the "GroupMappings" for that particular user.... Why am I not able to see the groups that the user were added to even after setting the eviction time?? Should I login into any of the application that is integrated with SSO so that I get the User with their proper groups??? Thanks & Regards, Lahari G ________________________________ From: Simon Payne <simonpayne58(a)gmail.com&gt; Sent: 27 March 2018 14:13 To: Lahari Guntha Cc: keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] Group-Mapping if standalone-ha.xml is changed then a restart is necessary. Simon. On Tue, Mar 27, 2018 at 6:27 AM, Lahari Guntha <lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com>> wrote: ?Hi, Do we ?need to reload the keycloak server after changing the standalone.xml??? Thanks & Regards, Lahari G ________________________________ From: Simon Payne <simonpayne58@gmail.com<mailto:simonpayne58@gmail.com>> Sent: 23 March 2018 20:40 To: Lahari Guntha Cc: keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> Subject: Re: [keycloak-user] Group-Mapping if you are referring to the standard entry I simply added the expiration value to the existing local-cache entry for users <local-cache name="users"> <eviction max-entries="10000" strategy="LRU"/> </local-cache> then LRU means least recently used. so it will cache 10,000 users and evict the least recently used when cache limit is reached. obviously this will only evict users if you have greater than 10,000 in your system. So in my case i changed to the following I simply added the expiration value to the existing local-cache entry for users <local-cache name="users"> <eviction max-entries="10000" strategy="LRU"/> <expiration max-idle="1200000"/> </local-cache> which will additionally expire entries after 20 minutes. full explanation can be found here https://docs.jboss.org/author/display/WFLY10/Infinispan+Subsystem On Fri, Mar 23, 2018 at 1:46 PM, Lahari Guntha <lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com><mailto:lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com>>> wrote: ???Hi, Thanks Simon. Does setting "Cache Policy" to "No Cache" option under "User Federation" makes any sense in this case?? as shown below? [cid:69b609f1-3662-4933-b316-29896ba797fe] Could someone explain the "Eviction" policy for user cache?? What exactly will happen??? ? Thanks & Regards, Lahari G ________________________________ From: Simon Payne <simonpayne58@gmail.com<mailto:simonpayne58@gmail.com><mailto:simonpayne58@gmail.com<mailto:simonpayne58@gmail.com>>> Sent: 16 March 2018 19:06 To: Lahari Guntha Cc: keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>> Subject: Re: [keycloak-user] Group-Mapping hi, we recently experienced similar and found it to be user cache. there is a setting in the ldap config which allows you to specify the cache value. however, i found this to take no effect and eventually set a hard eviction rate to the configuration in the standalone-ha.xml for user cache. On Fri, Mar 16, 2018 at 11:48 AM, Lahari Guntha <lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com><mailto:lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com>><mailto:lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com><mailto:lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com>>>> wrote: Hi All, We are using keycloak of version 3.3.0.CR2. I have my Keycloak integrated with LDAP. I have configured many applications to have SSO with Keycloak. I have done all the configuration to have LDAP integration with Keycloak. I have also configured Group mappers so that groups from LDAP are also synced to LDAP. eg: Users in LDAP: "user1" Groups in LDAP: "group1","group2" When i login into one of my application that is configured to have SSO with keycloak with user "user1" that is present in group "group1"...that user entry gets shown in the Keycloak UI page and we can also see the groups mapped to it. Now I add the user "user1" into another group "group2"... But now the newly added group is not reflected when click on User> Group Mapping. Why Is this happening?? What is the solution to continuously sync the users with the groups they are present in/added newly automatically???? Thanks, Lahari =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>>> https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>> https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user

Hi All, Could you please check the procedure I followed?? What are the further changes to be done for the groups to sync into keycloak?? Thanks & Regards, Lahari G ________________________________________ From: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces(a)lists.jboss.org&gt; on behalf of Lahari Guntha Sent: 28 March 2018 10:34 To: keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] Group-Mapping Hi Simon, We have our keycloak in standalone configuration. I have my keycloak running as a docker container. I loged into the container and manually changed the standalone.xml....and then restarted the server using the below command: docker exec {CONTAINER} /opt/jboss/keycloak/bin/jboss-cli.sh --connect "reload" I have all my users synced to Keycloak. Now I have an entry of a user "User1" in keycloak. This user is not present in any group in LDAP...Now I added the user "User1" in one of the group in LDAP....now since I have set the "Eviction rate"......I should get the updated group of the user that the user is recently added to in Keycloak UI when I check the "GroupMappings" for that particular user.... Why am I not able to see the groups that the user were added to even after setting the eviction time?? Should I login into any of the application that is integrated with SSO so that I get the User with their proper groups??? Thanks & Regards, Lahari G​ ________________________________ From: Simon Payne <simonpayne58(a)gmail.com&gt; Sent: 27 March 2018 14:13 To: Lahari Guntha Cc: keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] Group-Mapping if standalone-ha.xml is changed then a restart is necessary. Simon. On Tue, Mar 27, 2018 at 6:27 AM, Lahari Guntha <lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com>> wrote: ?Hi, Do we ?need to reload the keycloak server after changing the standalone.xml??? Thanks & Regards, Lahari G ________________________________ From: Simon Payne <simonpayne58@gmail.com<mailto:simonpayne58@gmail.com>> Sent: 23 March 2018 20:40 To: Lahari Guntha Cc: keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> Subject: Re: [keycloak-user] Group-Mapping if you are referring to the standard entry I simply added the expiration value to the existing local-cache entry for users <local-cache name="users"> <eviction max-entries="10000" strategy="LRU"/> </local-cache> then LRU means least recently used. so it will cache 10,000 users and evict the least recently used when cache limit is reached. obviously this will only evict users if you have greater than 10,000 in your system. So in my case i changed to the following I simply added the expiration value to the existing local-cache entry for users <local-cache name="users"> <eviction max-entries="10000" strategy="LRU"/> <expiration max-idle="1200000"/> </local-cache> which will additionally expire entries after 20 minutes. full explanation can be found here https://docs.jboss.org/author/display/WFLY10/Infinispan+Subsystem On Fri, Mar 23, 2018 at 1:46 PM, Lahari Guntha <lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com><mailto:lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com>>> wrote: ???Hi, Thanks Simon. Does setting "Cache Policy" to "No Cache" option under "User Federation" makes any sense in this case?? as shown below? [cid:69b609f1-3662-4933-b316-29896ba797fe] Could someone explain the "Eviction" policy for user cache?? What exactly will happen??? ? Thanks & Regards, Lahari G ________________________________ From: Simon Payne <simonpayne58@gmail.com<mailto:simonpayne58@gmail.com><mailto:simonpayne58@gmail.com<mailto:simonpayne58@gmail.com>>> Sent: 16 March 2018 19:06 To: Lahari Guntha Cc: keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>> Subject: Re: [keycloak-user] Group-Mapping hi, we recently experienced similar and found it to be user cache. there is a setting in the ldap config which allows you to specify the cache value. however, i found this to take no effect and eventually set a hard eviction rate to the configuration in the standalone-ha.xml for user cache. On Fri, Mar 16, 2018 at 11:48 AM, Lahari Guntha <lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com><mailto:lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com>><mailto:lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com><mailto:lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com>>>> wrote: Hi All, We are using keycloak of version 3.3.0.CR2. I have my Keycloak integrated with LDAP. I have configured many applications to have SSO with Keycloak. I have done all the configuration to have LDAP integration with Keycloak. I have also configured Group mappers so that groups from LDAP are also synced to LDAP. eg: Users in LDAP: "user1" Groups in LDAP: "group1","group2" When i login into one of my application that is configured to have SSO with keycloak with user "user1" that is present in group "group1"...that user entry gets shown in the Keycloak UI page and we can also see the groups mapped to it. Now I add the user "user1" into another group "group2"... But now the newly added group is not reflected when click on User> Group Mapping. Why Is this happening?? What is the solution to continuously sync the users with the groups they are present in/added newly automatically???? Thanks, Lahari =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>>> https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>> https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

Hi Simon, I have selected the " LOAD_GROUPS_BY_ MEMBER_ATTRIBUTE" for my 'user groups retrieve strategy'. Using this the User-Group mapping is done only for the first time..i.e if the user is added or removed from any group it is not getting reflected in keycloak . I cannot select "LOAD_GROUPS_BY_ MEMBER_ATTRIBUTE_RECURSIVELY" because it is only suitable for "Active Directory" and we are using openLDAP . Should I change the configuration?? Thanks & Regards, Lahari ​ ________________________________ From: Simon Payne <simonpayne58(a)gmail.com&gt; Sent: 09 April 2018 20:50 To: Lahari Guntha Cc: keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] Group-Mapping have you checked the 'user groups retrieve strategy' on the mappers config is correct for your need? otherwise it might only sync on first time and not when LDAP attributes etc change. On Tue, Apr 3, 2018 at 6:06 AM, Lahari Guntha <lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com>> wrote: Hi All, Could you please check the procedure I followed?? What are the further changes to be done for the groups to sync into keycloak?? Thanks & Regards, Lahari G ________________________________________ From: keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org> <keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org>> on behalf of Lahari Guntha Sent: 28 March 2018 10:34 To: keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> Subject: Re: [keycloak-user] Group-Mapping Hi Simon, We have our keycloak in standalone configuration. I have my keycloak running as a docker container. I loged into the container and manually changed the standalone.xml....and then restarted the server using the below command: docker exec {CONTAINER} /opt/jboss/keycloak/bin/jboss-cli.sh --connect "reload" I have all my users synced to Keycloak. Now I have an entry of a user "User1" in keycloak. This user is not present in any group in LDAP...Now I added the user "User1" in one of the group in LDAP....now since I have set the "Eviction rate"......I should get the updated group of the user that the user is recently added to in Keycloak UI when I check the "GroupMappings" for that particular user.... Why am I not able to see the groups that the user were added to even after setting the eviction time?? Should I login into any of the application that is integrated with SSO so that I get the User with their proper groups??? Thanks & Regards, Lahari G​ ________________________________ From: Simon Payne <simonpayne58@gmail.com<mailto:simonpayne58@gmail.com>> Sent: 27 March 2018 14:13 To: Lahari Guntha Cc: keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> Subject: Re: [keycloak-user] Group-Mapping if standalone-ha.xml is changed then a restart is necessary. Simon. On Tue, Mar 27, 2018 at 6:27 AM, Lahari Guntha <lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com><mailto:lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com>>> wrote: ?Hi, Do we ?need to reload the keycloak server after changing the standalone.xml??? Thanks & Regards, Lahari G ________________________________ From: Simon Payne <simonpayne58@gmail.com<mailto:simonpayne58@gmail.com><mailto:simonpayne58@gmail.com<mailto:simonpayne58@gmail.com>>> Sent: 23 March 2018 20:40 To: Lahari Guntha Cc: keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>> Subject: Re: [keycloak-user] Group-Mapping if you are referring to the standard entry I simply added the expiration value to the existing local-cache entry for users <local-cache name="users"> <eviction max-entries="10000" strategy="LRU"/> </local-cache> then LRU means least recently used. so it will cache 10,000 users and evict the least recently used when cache limit is reached. obviously this will only evict users if you have greater than 10,000 in your system. So in my case i changed to the following I simply added the expiration value to the existing local-cache entry for users <local-cache name="users"> <eviction max-entries="10000" strategy="LRU"/> <expiration max-idle="1200000"/> </local-cache> which will additionally expire entries after 20 minutes. full explanation can be found here https://docs.jboss.org/author/display/WFLY10/Infinispan+Subsystem On Fri, Mar 23, 2018 at 1:46 PM, Lahari Guntha <lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com><mailto:lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com>><mailto:lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com><mailto:lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com>>>> wrote: ???Hi, Thanks Simon. Does setting "Cache Policy" to "No Cache" option under "User Federation" makes any sense in this case?? as shown below? [cid:69b609f1-3662-4933-b316-29896ba797fe] Could someone explain the "Eviction" policy for user cache?? What exactly will happen??? ? Thanks & Regards, Lahari G ________________________________ From: Simon Payne <simonpayne58@gmail.com<mailto:simonpayne58@gmail.com><mailto:simonpayne58@gmail.com<mailto:simonpayne58@gmail.com>><mailto:simonpayne58@gmail.com<mailto:simonpayne58@gmail.com><mailto:simonpayne58@gmail.com<mailto:simonpayne58@gmail.com>>>> Sent: 16 March 2018 19:06 To: Lahari Guntha Cc: keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>>> Subject: Re: [keycloak-user] Group-Mapping hi, we recently experienced similar and found it to be user cache. there is a setting in the ldap config which allows you to specify the cache value. however, i found this to take no effect and eventually set a hard eviction rate to the configuration in the standalone-ha.xml for user cache. On Fri, Mar 16, 2018 at 11:48 AM, Lahari Guntha <lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com><mailto:lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com>><mailto:lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com><mailto:lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com>>><mailto:lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com><mailto:lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com>><mailto:lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com><mailto:lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com>>>>> wrote: Hi All, We are using keycloak of version 3.3.0.CR2. I have my Keycloak integrated with LDAP. I have configured many applications to have SSO with Keycloak. I have done all the configuration to have LDAP integration with Keycloak. I have also configured Group mappers so that groups from LDAP are also synced to LDAP. eg: Users in LDAP: "user1" Groups in LDAP: "group1","group2" When i login into one of my application that is configured to have SSO with keycloak with user "user1" that is present in group "group1"...that user entry gets shown in the Keycloak UI page and we can also see the groups mapped to it. Now I add the user "user1" into another group "group2"... But now the newly added group is not reflected when click on User> Group Mapping. Why Is this happening?? What is the solution to continuously sync the users with the groups they are present in/added newly automatically???? Thanks, Lahari =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>>><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>>> https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>> https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user

Hi Simon, Please find the below configuration on the LDAP side: User DN :uid=test,ou=users,dc=example,dc=com Group DN: cn=testgroup,ou=groups,dc=example,dc=com​ While integrating JIRA with LDAP we have the below configuration: [cid:1ef7f51c-9752-492f-b7b1-63f898a8f525] Here the user groups are getting properly synced. For the configuration on Keycloak side please find the attached screenshots. But still the groups are not syncing properly. i.e Whenever a user is added in a group in LDAP..that particular groups the user is present in not getting reflected in keycloak. Could you please suggest us what configuration we are missing?? Thanks and Regards, Lahari G ________________________________ From: Simon Payne <simonpayne58(a)gmail.com&gt; Sent: 10 April 2018 12:07 To: Lahari Guntha Cc: keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] Group-Mapping It's hard to tell you whether to change or not without knowing what your LDAP setup looks like.. the next thing i would check is where the relationship between the user and the group is stored. Group and User will both have a membership attribute. make sure you are selecting the the correct membership LDAP attribute for the chosen DN. On Tue, Apr 10, 2018 at 6:42 AM, Lahari Guntha <lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com>> wrote: Hi Simon, I have selected the " LOAD_GROUPS_BY_ MEMBER_ATTRIBUTE" for my 'user groups retrieve strategy'. Using this the User-Group mapping is done only for the first time..i.e if the user is added or removed from any group it is not getting reflected in keycloak . I cannot select "LOAD_GROUPS_BY_ MEMBER_ATTRIBUTE_RECURSIVELY" because it is only suitable for "Active Directory" and we are using openLDAP . Should I change the configuration?? Thanks & Regards, Lahari ​ ________________________________ From: Simon Payne <simonpayne58@gmail.com<mailto:simonpayne58@gmail.com>> Sent: 09 April 2018 20:50 To: Lahari Guntha Cc: keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> Subject: Re: [keycloak-user] Group-Mapping have you checked the 'user groups retrieve strategy' on the mappers config is correct for your need? otherwise it might only sync on first time and not when LDAP attributes etc change. On Tue, Apr 3, 2018 at 6:06 AM, Lahari Guntha <lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com><mailto:lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com>>> wrote: Hi All, Could you please check the procedure I followed?? What are the further changes to be done for the groups to sync into keycloak?? Thanks & Regards, Lahari G ________________________________________ From: keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org><mailto:keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org>> <keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org><mailto:keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org>>> on behalf of Lahari Guntha Sent: 28 March 2018 10:34 To: keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>> Subject: Re: [keycloak-user] Group-Mapping Hi Simon, We have our keycloak in standalone configuration. I have my keycloak running as a docker container. I loged into the container and manually changed the standalone.xml....and then restarted the server using the below command: docker exec {CONTAINER} /opt/jboss/keycloak/bin/jboss-cli.sh --connect "reload" I have all my users synced to Keycloak. Now I have an entry of a user "User1" in keycloak. This user is not present in any group in LDAP...Now I added the user "User1" in one of the group in LDAP....now since I have set the "Eviction rate"......I should get the updated group of the user that the user is recently added to in Keycloak UI when I check the "GroupMappings" for that particular user.... Why am I not able to see the groups that the user were added to even after setting the eviction time?? Should I login into any of the application that is integrated with SSO so that I get the User with their proper groups??? Thanks & Regards, Lahari G​ ________________________________ From: Simon Payne <simonpayne58@gmail.com<mailto:simonpayne58@gmail.com><mailto:simonpayne58@gmail.com<mailto:simonpayne58@gmail.com>>> Sent: 27 March 2018 14:13 To: Lahari Guntha Cc: keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>> Subject: Re: [keycloak-user] Group-Mapping if standalone-ha.xml is changed then a restart is necessary. Simon. On Tue, Mar 27, 2018 at 6:27 AM, Lahari Guntha <lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com><mailto:lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com>><mailto:lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com><mailto:lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com>>>> wrote: ?Hi, Do we ?need to reload the keycloak server after changing the standalone.xml??? Thanks & Regards, Lahari G ________________________________ From: Simon Payne <simonpayne58@gmail.com<mailto:simonpayne58@gmail.com><mailto:simonpayne58@gmail.com<mailto:simonpayne58@gmail.com>><mailto:simonpayne58@gmail.com<mailto:simonpayne58@gmail.com><mailto:simonpayne58@gmail.com<mailto:simonpayne58@gmail.com>>>> Sent: 23 March 2018 20:40 To: Lahari Guntha Cc: keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>>> Subject: Re: [keycloak-user] Group-Mapping if you are referring to the standard entry I simply added the expiration value to the existing local-cache entry for users <local-cache name="users"> <eviction max-entries="10000" strategy="LRU"/> </local-cache> then LRU means least recently used. so it will cache 10,000 users and evict the least recently used when cache limit is reached. obviously this will only evict users if you have greater than 10,000 in your system. So in my case i changed to the following I simply added the expiration value to the existing local-cache entry for users <local-cache name="users"> <eviction max-entries="10000" strategy="LRU"/> <expiration max-idle="1200000"/> </local-cache> which will additionally expire entries after 20 minutes. full explanation can be found here https://docs.jboss.org/author/display/WFLY10/Infinispan+Subsystem On Fri, Mar 23, 2018 at 1:46 PM, Lahari Guntha <lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com><mailto:lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com>><mailto:lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com><mailto:lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com>>><mailto:lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com><mailto:lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com>><mailto:lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com><mailto:lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com>>>>> wrote: ???Hi, Thanks Simon. Does setting "Cache Policy" to "No Cache" option under "User Federation" makes any sense in this case?? as shown below? [cid:69b609f1-3662-4933-b316-29896ba797fe] Could someone explain the "Eviction" policy for user cache?? What exactly will happen??? ? Thanks & Regards, Lahari G ________________________________ From: Simon Payne <simonpayne58@gmail.com<mailto:simonpayne58@gmail.com><mailto:simonpayne58@gmail.com<mailto:simonpayne58@gmail.com>><mailto:simonpayne58@gmail.com<mailto:simonpayne58@gmail.com><mailto:simonpayne58@gmail.com<mailto:simonpayne58@gmail.com>>><mailto:simonpayne58@gmail.com<mailto:simonpayne58@gmail.com><mailto:simonpayne58@gmail.com<mailto:simonpayne58@gmail.com>><mailto:simonpayne58@gmail.com<mailto:simonpayne58@gmail.com><mailto:simonpayne58@gmail.com<mailto:simonpayne58@gmail.com>>>>> Sent: 16 March 2018 19:06 To: Lahari Guntha Cc: keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>>><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>>>> Subject: Re: [keycloak-user] Group-Mapping hi, we recently experienced similar and found it to be user cache. there is a setting in the ldap config which allows you to specify the cache value. however, i found this to take no effect and eventually set a hard eviction rate to the configuration in the standalone-ha.xml for user cache. On Fri, Mar 16, 2018 at 11:48 AM, Lahari Guntha <lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com><mailto:lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com>><mailto:lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com><mailto:lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com>>><mailto:lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com><mailto:lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com>><mailto:lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com><mailto:lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com>>>><mailto:lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com><mailto:lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com>><mailto:lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com><mailto:lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com>>><mailto:lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com><mailto:lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com>><mailto:lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com><mailto:lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com>>>>>> wrote: Hi All, We are using keycloak of version 3.3.0.CR2. I have my Keycloak integrated with LDAP. I have configured many applications to have SSO with Keycloak. I have done all the configuration to have LDAP integration with Keycloak. I have also configured Group mappers so that groups from LDAP are also synced to LDAP. eg: Users in LDAP: "user1" Groups in LDAP: "group1","group2" When i login into one of my application that is configured to have SSO with keycloak with user "user1" that is present in group "group1"...that user entry gets shown in the Keycloak UI page and we can also see the groups mapped to it. Now I add the user "user1" into another group "group2"... But now the newly added group is not reflected when click on User> Group Mapping. Why Is this happening?? What is the solution to continuously sync the users with the groups they are present in/added newly automatically???? Thanks, Lahari =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>>><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>>>><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>>><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>>><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>>> https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>> https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>> https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user

Hi Simon, We have tried that. We updated the configuration of group DN in keycloak as ou=groups,dc=example,dc=com. But still the groups are not getting synced properly. May I know whether am missing any configuration any where else?? Thanks and Regards, Lahari G ________________________________ From: Simon Payne <simonpayne58(a)gmail.com&gt; Sent: 10 May 2018 14:44 To: Lahari Guntha Cc: keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] Group-Mapping Hi Lahari, i would suggest to try the LDAP group DN as ou=groups,dc=example,dc=com rather than cn=testgroup,ou=groups,dc=example,dc=com here you need to specify the group tree. regards, Simon. On Mon, May 7, 2018 at 11:21 AM, Lahari Guntha <lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com>> wrote: _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you

Hi All, Did anyone face the same Issue of Group Syncing from LDAP to Keycloak?? Thanks and Regards, Lahari Guntha ________________________________ From: Lahari Guntha Sent: 10 May 2018 18:18 To: keycloak-user(a)lists.jboss.org Cc: keycloak-user(a)lists.jboss.org; Aishwarya Bositty; Praveen Dhandu Subject: Re: [keycloak-user] Group-Mapping Hi Simon, We have tried that. We updated the configuration of group DN in keycloak as ou=groups,dc=example,dc=com. But still the groups are not getting synced properly. May I know whether am missing any configuration any where else?? Thanks and Regards, Lahari G ________________________________ From: Simon Payne <simonpayne58(a)gmail.com&gt; Sent: 10 May 2018 14:44 To: Lahari Guntha Cc: keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] Group-Mapping Hi Lahari, i would suggest to try the LDAP group DN as ou=groups,dc=example,dc=com rather than cn=testgroup,ou=groups,dc=example,dc=com here you need to specify the group tree. regards, Simon. On Mon, May 7, 2018 at 11:21 AM, Lahari Guntha <lahari.guntha@tcs.com<mailto:lahari.guntha@tcs.com>> wrote: _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you