[keycloak-dev] LDAP read-only was Re: Federation Storage: read-only groups

Bruno Oliveira bruno at abstractj.org
Fri Dec 2 10:53:25 EST 2016


On 2016-12-02, Bill Burke wrote:
> Providers are supposed to throw a ReadOnlyException in this scenario.  I
> don't know if the LDAP provider handles this well.  I was a bit confused
> on how it worked, it seems like if a mapper is read-only, it allows you
> to edit the change in the import. Basically unsynced mode.
>
> In looking at your SSSD provider, you only throw ReadOnlyException for
> attributes loaded by SSSD.  For the rest, you allow the local import to
> be updated (unsynced).

I'm probably missing something here, but I couldn't find anything in
the API how to prevent people from editing groups imported from my
Federation provider.

Where should I look?

>
>
> On 12/2/16 4:22 AM, Bruno Oliveira wrote:
> > Good morning,
> >
> > Today for SSSD Federation storage everything is read-only. This
> > is pretty much because we don't have any way to synchronize the changes
> > made at the admin console back to SSSD.
> >
> > QE identified this bug[1], that kind of affects LDAP federation provider
> > in read-only mode too. Correct if I'm wrong, but in theory, if the federation
> > provider is read-only, people should not be able to edit groups or
> > roles.
> >
> > Do we anything in the new API to prevent people from changing roles and
> > groups when the Federation provider is read-only?
> >
> >
> > [1] - https://issues.jboss.org/browse/KEYCLOAK-3904
> >
> > --
> >
> > abstractj
> > PGP: 0x84DC9914
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

--

abstractj
PGP: 0x84DC9914


More information about the keycloak-dev mailing list