[keycloak-user] Key cloak LDAP pagination for fetching groups?

Marek Posolda mposolda at redhat.com
Fri Mar 11 16:38:19 EST 2016


Other user created JIRA already for 1000 limit pagination [1] and I've 
created another for "lazy" synchronization of just groups, which user is 
member of (Lazy will work just if "Preserve group inheritance" of group 
mapper is off). PR incoming for both issues.

[1] https://issues.jboss.org/browse/KEYCLOAK-2640
[2] https://issues.jboss.org/browse/KEYCLOAK-2655

Marek

On 11/03/16 17:51, Jason Axley wrote:
> Active Directory sets a max page size by default of 1000 entries.  I’m 
> seeing my READ_ONLY LDAP connection only ever returning a maximum of 
> 1000 groups from LDAP .  Is it supposed to support pagination?
>
> The method seeing this limit is in GroupLDAPFederationMapper.java:
> public UserFederationSyncResult  syncDataFromFederationProviderToKeycloak() {
> LDAPQuery.java method
> public List<LDAPObject>getResultList() {
> Calls LDAPQuery.java fetchQueryResults()
>
> Which has this condition to check for pagination:
> if (getConfig().isPagination() &&identityQuery.getLimit() >0) {
> I have pagination set to True, but the identityQuery has a limit set 
> to 0, so it never enters the pagination branch. Am I missing something 
> about how to configure the group mapper to support pagination to fetch 
>  more than 1000 entries?
>
> What this causes right now is for Keycloak to not see a user as a 
> member of a group that they are a member of because many groups beyond 
> the 1000 have not been synchronized into Keycloak.
>
> I wonder if it would be better to support a Just-in-Time 
> synchronization of just the groups that users are members of rather 
> than syncing all groups and trying to do a union between the user 
> groups and LDAP groups?  I’d love to not have every group in the 
> system anyhow as it gets really unwieldy in the UI.
>
> -Jason
>
> *Jason Axley*
>
> Sr. Security Engineer, Expedia Worldwide Engineering Team
>
> 425-679-4157 (o) | 206-484-2778 (m) | 206-55-AXLEY (gv)
>
> 333 108th Ave NE, 9S-282, Bellevue, WA 98004
>
> EWE Security Wiki <https://confluence/display/POS/EWE+Security>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160311/5edade12/attachment.html 


More information about the keycloak-user mailing list