[keycloak-user] Keycloak goes to AD to fetch users every page load, does not use local store.

Bill Burke bburke at redhat.com
Thu Aug 4 10:16:16 EDT 2016 

Again, are you just talking about the Admin Console?  Please list 
exactly what actions load thousands of users.

* IN the admin console Users page, if you search for a user, LDAP will 
be queried once by username, email, or first+last name depending on the 
format of the search string.

* View All Users will *NOT* query LDAP.  It will only show imported 
users aka users that have already be imported from LDAP.

I'm not sure about the new Authorization stuff.  Is this what you mean 
by the Evaluation screen or in the User base Policy?


On 8/4/16 10:05 AM, Ushanas Shastri wrote:
>
> Classification: INTERNAL
>
> Not just when I manage Users.
>
> Even in the Evaluation screen or in the User based Policy (any place 
> we show a list of users),  on page load, all users are fetched.
>
> Even if users have to be queries from all providers, shouldn’t we wait 
> for the user to enter a search criteria, and only then query based on 
> that search criteria? At the moment, if I have a 1000 users in AD, on 
> each page load 1000 users are fetched from AD, without even me 
> attempting a search.
>
> Regards, Ushanas.
>
> *From:*keycloak-user-bounces at lists.jboss.org 
> [mailto:keycloak-user-bounces at lists.jboss.org] *On Behalf Of *Bill Burke
> *Sent:* Thursday, August 04, 2016 6:50 PM
> *To:* keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] Keycloak goes to AD to fetch users 
> every page load, does not use local store.
>
> You mean when you manage the users from the Admin Console? The 
> searchbox is meant to be a general pattern and is equivalent to a LIKE 
> clause in RDBMS.  So this means all providers must be queried.
>
> On 8/4/16 7:54 AM, Ushanas Shastri wrote:
>
>     Classification: INTERNAL
>
>     Hello,
>
>     We have Keycloak setup with SQL Server as a persistent store, and
>     we have User Federation enabled with Microsoft Active Directory.
>
>     Why does Keycloak go back to querying AD on every page load
>     (Manage-> Users or the Evaluate tab in Authorization)? Should it
>     not get a list of users from the local SQL store only?
>
>     I’m seeing that on the page load, Keycloak gets a list of all
>     users from AD. Considering we have a large number of users, this
>     is time consuming. Don’t know if it matters, but we do have an AD
>     filter.
>
>     Regards, Ushanas.
>
>     *Viteos Fund Services Ltd | *www.viteos.com
>     <http://www.viteosfundservices.com/>
>
>     *Direct :*+91-22-61082230 | US : +1- 888-821-7561 extn 240
>
>     *Cell :*+91-9820225580
>
>     Email : ushanas.shastri at viteos.com <mailto:ushanas.shastri at viteos.com>
>
>     This message is for the named person's use only. It may contain
>     confidential, proprietary or legally privileged information. No
>     confidentiality or privilege is waived or lost by any
>     mis-transmission. If you receive this message in error, please
>     immediatelydelete it and all copies of it from your system,
>     destroy any hard copies of it and notify the sender. You must not,
>     directly or indirectly, use, disclose, distribute, print, or copy
>     any part of this message if you are not the intended recipient.
>     Viteos Capital Market Services Ltd.and any of its subsidiaries
>     each reserve the right to monitor all e-mail communications
>     through its networks. Any views expressed in this message are
>     those of the individual sender, except where the message states
>     otherwise and the sender is authorized to state them to be the
>     views of any such entit.
>
>
>
>     _______________________________________________
>
>     keycloak-user mailing list
>
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> This message is for the named person's use only. It may contain 
> confidential, proprietary or legally privileged information. No 
> confidentiality or privilege is waived or lost by any 
> mis-transmission. If you receive this message in error, please 
> immediatelydelete it and all copies of it from your system, destroy 
> any hard copies of it and notify the sender. You must not, directly or 
> indirectly, use, disclose, distribute, print, or copy any part of this 
> message if you are not the intended recipient. Viteos Capital Market 
> Services Ltd.and any of its subsidiaries each reserve the right to 
> monitor all e-mail communications through its networks. Any views 
> expressed in this message are those of the individual sender, except 
> where the message states otherwise and the sender is authorized to 
> state them to be the views of any such entit.
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/99baaec2/attachment.html

More information about the keycloak-user mailing list