[keycloak-user] Key cloak LDAP pagination for fetching groups?

Jason Axley jaxley at expedia.com
Fri Mar 11 11:51:55 EST 2016


Active Directory sets a max page size by default of 1000 entries.  I’m seeing my READ_ONLY LDAP connection only ever returning a maximum of 1000 groups from LDAP .  Is it supposed to support pagination?

The method seeing this limit is in GroupLDAPFederationMapper.java:

public UserFederationSyncResult syncDataFromFederationProviderToKeycloak() {

LDAPQuery.java method

public List<LDAPObject> getResultList() {

Calls LDAPQuery.java fetchQueryResults()

Which has this condition to check for pagination:

if (getConfig().isPagination() && identityQuery.getLimit() > 0) {

I have pagination set to True, but the identityQuery has a limit set to 0, so it never enters the pagination branch. Am I missing something about how to configure the group mapper to support pagination to fetch  more than 1000 entries?

What this causes right now is for Keycloak to not see a user as a member of a group that they are a member of because many groups beyond the 1000 have not been synchronized into Keycloak.

I wonder if it would be better to support a Just-in-Time synchronization of just the groups that users are members of rather than syncing all groups and trying to do a union between the user groups and LDAP groups?  I’d love to not have every group in the system anyhow as it gets really unwieldy in the UI.

-Jason

Jason Axley
Sr. Security Engineer, Expedia Worldwide Engineering Team
425-679-4157 (o) | 206-484-2778 (m) | 206-55-AXLEY (gv)
333 108th Ave NE, 9S-282, Bellevue, WA 98004
EWE Security Wiki<https://confluence/display/POS/EWE+Security>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160311/ff8dfa29/attachment.html 


More information about the keycloak-user mailing list