[keycloak-user] Key cloak LDAP pagination for fetching groups?
Jason Axley
jaxley at expedia.com
Fri Mar 11 11:51:55 EST 2016
Active Directory sets a max page size by default of 1000 entries. I’m seeing my READ_ONLY LDAP connection only ever returning a maximum of 1000 groups from LDAP . Is it supposed to support pagination?
The method seeing this limit is in GroupLDAPFederationMapper.java:
public UserFederationSyncResult syncDataFromFederationProviderToKeycloak() {
LDAPQuery.java method
public List<LDAPObject> getResultList() {
Calls LDAPQuery.java fetchQueryResults()
Which has this condition to check for pagination:
if (getConfig().isPagination() && identityQuery.getLimit() > 0) {
I have pagination set to True, but the identityQuery has a limit set to 0, so it never enters the pagination branch. Am I missing something about how to configure the group mapper to support pagination to fetch more than 1000 entries?
What this causes right now is for Keycloak to not see a user as a member of a group that they are a member of because many groups beyond the 1000 have not been synchronized into Keycloak.
I wonder if it would be better to support a Just-in-Time synchronization of just the groups that users are members of rather than syncing all groups and trying to do a union between the user groups and LDAP groups? I’d love to not have every group in the system anyhow as it gets really unwieldy in the UI.
-Jason
Jason Axley
Sr. Security Engineer, Expedia Worldwide Engineering Team
425-679-4157 (o) | 206-484-2778 (m) | 206-55-AXLEY (gv)
333 108th Ave NE, 9S-282, Bellevue, WA 98004
EWE Security Wiki<https://confluence/display/POS/EWE+Security>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160311/ff8dfa29/attachment.html
More information about the keycloak-user
mailing list