[keycloak-dev] LDAP read-only was Re: Federation Storage: read-only groups
Marek Posolda
mposolda at redhat.com
Mon Dec 5 11:01:24 EST 2016
On 05/12/16 16:29, Bill Burke wrote:
>
>
> On 12/5/16 5:01 AM, Marek Posolda wrote:
>> On 02/12/16 15:26, Bill Burke wrote:
>>> Providers are supposed to throw a ReadOnlyException in this
>>> scenario. I
>>> don't know if the LDAP provider handles this well. I was a bit
>>> confused
>>> on how it worked, it seems like if a mapper is read-only, it allows you
>>> to edit the change in the import. Basically unsynced mode.
>> Yes, the current read-only mode for GroupMapper is defacto
>> "unsynced". It allows you to add new group memberships, but those
>> memberships are saved in Keycloak DB, not in LDAP itself. So the
>> group membership is the merge of memberships from DB and from LDAP.
>> Removing group membership, which is saved in LDAP throws an exception.
>>
>> I am going to add new mode "read-only" and rename the current
>> read-only mode to "unsynced" to be better aligned with the modes for
>> userStorage. Created https://issues.jboss.org/browse/KEYCLOAK-4025
>
> Don't forget to edit the migration script to handle this.
>
Yeah, sure. I have the migration in mind.
Marek
More information about the keycloak-dev
mailing list