[keycloak-user] Group-Mapping
Simon Payne
simonpayne58 at gmail.com
Mon Apr 9 11:20:54 EDT 2018
have you checked the 'user groups retrieve strategy' on the mappers config
is correct for your need?
otherwise it might only sync on first time and not when LDAP attributes etc
change.
On Tue, Apr 3, 2018 at 6:06 AM, Lahari Guntha <lahari.guntha at tcs.com> wrote:
> Hi All,
>
> Could you please check the procedure I followed?? What are the further
> changes to be done for the groups to sync into keycloak??
>
> Thanks & Regards,
> Lahari G
> ________________________________________
> From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.
> jboss.org> on behalf of Lahari Guntha
> Sent: 28 March 2018 10:34
> To: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Group-Mapping
>
> Hi Simon,
>
>
> We have our keycloak in standalone configuration. I have my keycloak
> running as a docker container. I loged into the container and manually
> changed the standalone.xml....and then restarted the server using the below
> command:
>
>
> docker exec {CONTAINER} /opt/jboss/keycloak/bin/jboss-cli.sh --connect
> "reload"
>
>
> I have all my users synced to Keycloak. Now I have an entry of a user
> "User1" in keycloak. This user is not present in any group in LDAP...Now I
> added the user "User1" in one of the group in LDAP....now since I have set
> the "Eviction rate"......I should get the updated group of the user that
> the user is recently added to in Keycloak UI when I check the
> "GroupMappings" for that particular user....
>
>
> Why am I not able to see the groups that the user were added to even after
> setting the eviction time??
>
>
> Should I login into any of the application that is integrated with SSO so
> that I get the User with their proper groups???
>
>
> Thanks & Regards,
>
> Lahari G
>
>
> ________________________________
> From: Simon Payne <simonpayne58 at gmail.com>
> Sent: 27 March 2018 14:13
> To: Lahari Guntha
> Cc: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Group-Mapping
>
> if standalone-ha.xml is changed then a restart is necessary.
>
> Simon.
>
>
>
>
> On Tue, Mar 27, 2018 at 6:27 AM, Lahari Guntha <lahari.guntha at tcs.com
> <mailto:lahari.guntha at tcs.com>> wrote:
> ?Hi,
>
>
> Do we ?need to reload the keycloak server after changing the
> standalone.xml???
>
>
> Thanks & Regards,
>
> Lahari G
>
>
> ________________________________
> From: Simon Payne <simonpayne58 at gmail.com<mailto:simonpayne58 at gmail.com>>
> Sent: 23 March 2018 20:40
> To: Lahari Guntha
> Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> Subject: Re: [keycloak-user] Group-Mapping
>
> if you are referring to the standard entry
>
> I simply added the expiration value to the existing local-cache entry for
> users
>
> <local-cache name="users">
> <eviction max-entries="10000" strategy="LRU"/>
> </local-cache>
>
>
> then LRU means least recently used. so it will cache 10,000 users and
> evict the least recently used when cache limit is reached. obviously this
> will only evict users if you have greater than 10,000 in your system. So
> in my case i changed to the following
>
> I simply added the expiration value to the existing local-cache entry for
> users
>
> <local-cache name="users">
> <eviction max-entries="10000" strategy="LRU"/>
> <expiration max-idle="1200000"/>
> </local-cache>
>
> which will additionally expire entries after 20 minutes.
>
>
> full explanation can be found here https://docs.jboss.org/author/
> display/WFLY10/Infinispan+Subsystem
>
>
> On Fri, Mar 23, 2018 at 1:46 PM, Lahari Guntha <lahari.guntha at tcs.com
> <mailto:lahari.guntha at tcs.com><mailto:lahari.guntha at tcs.com<mailto:l
> ahari.guntha at tcs.com>>> wrote:
> ???Hi,
>
>
> Thanks Simon.
>
>
> Does setting "Cache Policy" to "No Cache" option under "User Federation"
> makes any sense in this case?? as shown below?
>
>
> [cid:69b609f1-3662-4933-b316-29896ba797fe]
>
>
> Could someone explain the "Eviction" policy for user cache??
>
> What exactly will happen???
>
> ?
>
>
> Thanks & Regards,
>
> Lahari G
>
>
>
>
> ________________________________
> From: Simon Payne <simonpayne58 at gmail.com<mailto:simonpayne58 at gmail.com>
> <mailto:simonpayne58 at gmail.com<mailto:simonpayne58 at gmail.com>>>
> Sent: 16 March 2018 19:06
> To: Lahari Guntha
> Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org
> ><mailto:keycloak-user at lists.jboss.org<mailto:ke
> ycloak-user at lists.jboss.org>>
> Subject: Re: [keycloak-user] Group-Mapping
>
> hi, we recently experienced similar and found it to be user cache. there
> is a setting in the ldap config which allows you to specify the cache
> value. however, i found this to take no effect and eventually set a hard
> eviction rate to the configuration in the standalone-ha.xml for user cache.
>
>
>
> On Fri, Mar 16, 2018 at 11:48 AM, Lahari Guntha <lahari.guntha at tcs.com
> <mailto:lahari.guntha at tcs.com><mailto:lahari.guntha at tcs.com<mailto:l
> ahari.guntha at tcs.com>><mailto:lahari.guntha at tcs.com<mailto:l
> ahari.guntha at tcs.com><mailto:lahari.guntha at tcs.com<mailto:la
> hari.guntha at tcs.com>>>> wrote:
> Hi All,
>
>
>
> We are using keycloak of version 3.3.0.CR2.
>
> I have my Keycloak integrated with LDAP.
>
> I have configured many applications to have SSO with Keycloak. I have
> done all the configuration to have LDAP integration with Keycloak. I have
> also configured Group mappers so that groups from LDAP are also synced to
> LDAP.
>
> eg:
>
> Users in LDAP: "user1"
>
> Groups in LDAP: "group1","group2"
>
>
> When i login into one of my application that is configured to have SSO
> with keycloak with user "user1" that is present in group "group1"...that
> user entry gets shown in the Keycloak UI page and we can also see the
> groups mapped to it.
>
>
> Now I add the user "user1" into another group "group2"...
>
> But now the newly added group is not reflected when click on User> Group
> Mapping.
>
>
> Why Is this happening??
>
>
> What is the solution to continuously sync the users with the groups they
> are present in/added newly automatically????
>
>
> Thanks,
>
> Lahari
> =====-----=====-----=====
> Notice: The information contained in this e-mail
> message and/or attachments to it may contain
> confidential or privileged information. If you are
> not the intended recipient, any dissemination, use,
> review, distribution, printing or copying of the
> information contained in this e-mail message
> and/or attachments to it are strictly prohibited. If
> you have received this communication in error,
> please notify us by reply e-mail or telephone and
> immediately and permanently delete the message
> and any attachments. Thank you
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org
> ><mailto:keycloak-user at lists.jboss.org<mailto:ke
> ycloak-user at lists.jboss.org>><mailto:keycloak-user at lists.jboss.org<mailto:
> keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<
> mailto:keycloak-user at lists.jboss.org>>>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org
> ><mailto:keycloak-user at lists.jboss.org<mailto:ke
> ycloak-user at lists.jboss.org>>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list