[keycloak-dev] Sync commited

Bill Burke bburke at redhat.com
Mon Aug 11 10:26:27 EDT 2014 

Great stuff.

On 8/10/2014 6:09 PM, Marek Posolda wrote:
> Hi,
>
> I've pushed support for bulk sync of users from external store (like
> LDAP) to local store. Some summary of changes:
> - Added 2 new methods to UserFederationProviderFactory. Method
> syncAllUsers (For sync all users from external store to local store) and
> syncChangedUsers (sync just users, which were changed. Needs that
> external store has support for changelogs)
>
> - Implementation for LDAP which allows both "full" and "changed" sync.
> It's possible to track users, which were created or updated on LDAP
> server since some specified time. Unfortunately not easily possible to
> track removed LDAP users
>
> - Support for periodic sync. You can specify period for each
> FederationProvider how often it should do syncAllUsers and how often
> syncChangedUsers. It's possible to specify different period for each
> UserFederationProviderModel so for example realm1 can sync from Active
> Directory once per day where realm2 can sync from OpenDS LDAP just one
> per week etc. Also if you update or delete UserFederationProviderModel,
> sync task will be updated/cancelled as well (I've added to BasicTimer
> support for cancelling of previously scheduled tasks)
>
>
> Remaining work:
> * Support in admin console. I plan to add buttons, which will allow
> admin to trigger either syncAllUsers or syncChangedUsers from admin
> console. Also new options to specify periods for fullSync and
> "changedSync" . For LDAP, I will need to add option for batch size
> (Number of LDAP users to be downloaded per each batch (page). Each batch
> is processed in separate transaction) .
>
> * For now, I've added just sync from external store to Keycloak. Do we
> need 2 ways sync? For example if people have WRITABLE mode for their
> Federation Provider, then changes to particular user done by Keycloak
> are immediatelly written to 3rd party store anyway?
>
> * As I mentioned the syncChangedUsers for LDAP is able to track created
> and updated LDAP users but not removed. I wonder if it's good idea that
> during full sync, Keycloak will check if all local users with LDAP links
> are still valid and delete those, which are not? Or is it ok to just
> rely on FederationProvider to handle this?
>
> * Sync/Federation of roles? Right now both FederationProvider and Sync
> is doing just syncing of users, but not roles or role mappings. I wonder
> that maybe people probably also want to sync their LDAP roles into
> Keycloak and also role mappings too. This might be quite tricky though
> as Federation just deals with UserProvider, but syncing roles from LDAP
> will require some updates to RealmProvider too. Probably not doable for
> 1.0.Final though...
>

Just create tasks for stuff for 1.1.  We'll wait for feedback on these 
LDAP features from community.  We need to start closing out our JIRAs 
for RC-1 and 1.0.Final.


-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-dev mailing list