[keycloak-user] Group-Mapping

Simon Payne simonpayne58 at gmail.com
Tue Apr 10 02:37:28 EDT 2018


It's hard to tell you whether to change or not without knowing what your
LDAP setup looks like..

the next  thing i would check is where the relationship between the user
and the group is stored.  Group and User will both have a membership
attribute.  make sure you are selecting the the correct membership LDAP
attribute for the chosen DN.



On Tue, Apr 10, 2018 at 6:42 AM, Lahari Guntha <lahari.guntha at tcs.com>
wrote:

> Hi Simon,
>
>
> I have selected the " LOAD_GROUPS_BY_ MEMBER_ATTRIBUTE" for my 'user
> groups retrieve strategy'. Using this the User-Group mapping is done only
> for the first time..i.e if the user is added or removed from any group it
> is not getting reflected in keycloak .
>
>
> I cannot select "LOAD_GROUPS_BY_ MEMBER_ATTRIBUTE_RECURSIVELY" because it
> is only suitable for "Active Directory" and we are using openLDAP .
>
>
> Should I change the configuration??
>
>
> Thanks & Regards,
>
> Lahari
>
>>
> ________________________________
> From: Simon Payne <simonpayne58 at gmail.com>
> Sent: 09 April 2018 20:50
> To: Lahari Guntha
> Cc: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Group-Mapping
>
> have you checked the 'user groups retrieve strategy' on the mappers config
> is correct for your need?
>
> otherwise it might only sync on first time and not when LDAP attributes
> etc change.
>
> On Tue, Apr 3, 2018 at 6:06 AM, Lahari Guntha <lahari.guntha at tcs.com
> <mailto:lahari.guntha at tcs.com>> wrote:
> Hi  All,
>
> Could you please check the procedure I followed?? What are the further
> changes to be done for the groups to sync into keycloak??
>
> Thanks & Regards,
> Lahari G
> ________________________________________
> From: keycloak-user-bounces at lists.jboss.org<mailto:keycloak-
> user-bounces at lists.jboss.org> <keycloak-user-bounces at lists.jboss.org
> <mailto:keycloak-user-bounces at lists.jboss.org>> on behalf of Lahari
> Guntha
> Sent: 28 March 2018 10:34
> To: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> Subject: Re: [keycloak-user] Group-Mapping
>
> Hi Simon,
>
>
> We have our keycloak in  standalone configuration. I have my keycloak
> running as a docker container. I loged into the container and manually
> changed the standalone.xml....and then restarted the server using the below
> command:
>
>
> docker exec {CONTAINER} /opt/jboss/keycloak/bin/jboss-cli.sh --connect
> "reload"
>
>
> I have all my users synced to Keycloak. Now I have an entry of a user
> "User1" in keycloak. This user is not present in any group in LDAP...Now I
> added the user "User1" in one of the group in LDAP....now since I have set
> the "Eviction rate"......I should get the updated group of the user that
> the user is recently added to in Keycloak UI when I check the
> "GroupMappings" for that particular user....
>
>
> Why am I not able to see the groups that the user were added to even after
> setting the eviction time??
>
>
> Should I login into any of the application that is integrated with SSO so
> that I get the User with their proper groups???
>
>
> Thanks & Regards,
>
> Lahari G​
>
>
> ________________________________
> From: Simon Payne <simonpayne58 at gmail.com<mailto:simonpayne58 at gmail.com>>
> Sent: 27 March 2018 14:13
> To: Lahari Guntha
> Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> Subject: Re: [keycloak-user] Group-Mapping
>
> if standalone-ha.xml is changed then a restart is necessary.
>
> Simon.
>
>
>
>
> On Tue, Mar 27, 2018 at 6:27 AM, Lahari Guntha <lahari.guntha at tcs.com
> <mailto:lahari.guntha at tcs.com><mailto:lahari.guntha at tcs.com<mailto:l
> ahari.guntha at tcs.com>>> wrote:
> ?Hi,
>
>
> Do we ?need to reload the keycloak server after changing the
> standalone.xml???
>
>
> Thanks & Regards,
>
> Lahari G
>
>
> ________________________________
> From: Simon Payne <simonpayne58 at gmail.com<mailto:simonpayne58 at gmail.com>
> <mailto:simonpayne58 at gmail.com<mailto:simonpayne58 at gmail.com>>>
> Sent: 23 March 2018 20:40
> To: Lahari Guntha
> Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org
> ><mailto:keycloak-user at lists.jboss.org<mailto:ke
> ycloak-user at lists.jboss.org>>
> Subject: Re: [keycloak-user] Group-Mapping
>
> if you are referring to the standard entry
>
> I simply added the expiration value to the existing local-cache entry for
> users
>
> <local-cache name="users">
>                     <eviction max-entries="10000" strategy="LRU"/>
>  </local-cache>
>
>
> then LRU means least recently used.  so it will cache 10,000 users and
> evict the least recently used when cache limit is reached.  obviously this
> will only evict users if you have greater than 10,000 in your system.  So
> in my case i changed to the following
>
> I simply added the expiration value to the existing local-cache entry for
> users
>
> <local-cache name="users">
>                     <eviction max-entries="10000" strategy="LRU"/>
>                     <expiration max-idle="1200000"/>
>  </local-cache>
>
> which will additionally expire entries after 20 minutes.
>
>
> full explanation can be found here https://docs.jboss.org/author/
> display/WFLY10/Infinispan+Subsystem
>
>
> On Fri, Mar 23, 2018 at 1:46 PM, Lahari Guntha <lahari.guntha at tcs.com
> <mailto:lahari.guntha at tcs.com><mailto:lahari.guntha at tcs.com<mailto:l
> ahari.guntha at tcs.com>><mailto:lahari.guntha at tcs.com<mailto:l
> ahari.guntha at tcs.com><mailto:lahari.guntha at tcs.com<mailto:la
> hari.guntha at tcs.com>>>> wrote:
> ???Hi,
>
>
> Thanks Simon.
>
>
> Does setting "Cache Policy" to "No Cache"  option under "User Federation"
> makes any sense in this case?? as shown below?
>
>
> [cid:69b609f1-3662-4933-b316-29896ba797fe]
>
>
> Could someone explain the "Eviction" policy for user cache??
>
> What exactly will happen???
>
> ?
>
>
> Thanks & Regards,
>
> Lahari G
>
>
>
>
> ________________________________
> From: Simon Payne <simonpayne58 at gmail.com<mailto:simonpayne58 at gmail.com>
> <mailto:simonpayne58 at gmail.com<mailto:simonpayne58 at gmail.com>><mailto:
> simonpayne58 at gmail.com<mailto:simonpayne58 at gmail.com><mailto:simonpayne58@
> gmail.com<mailto:simonpayne58 at gmail.com>>>>
> Sent: 16 March 2018 19:06
> To: Lahari Guntha
> Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org
> ><mailto:keycloak-user at lists.jboss.org<mailto:ke
> ycloak-user at lists.jboss.org>><mailto:keycloak-user at lists.jboss.org<mailto:
> keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<
> mailto:keycloak-user at lists.jboss.org>>>
> Subject: Re: [keycloak-user] Group-Mapping
>
> hi, we recently experienced similar and found it to be user cache.  there
> is a setting in the ldap config which allows you to specify the cache
> value.  however, i found this to take no effect and eventually set a hard
> eviction rate to the configuration in the standalone-ha.xml for user cache.
>
>
>
> On Fri, Mar 16, 2018 at 11:48 AM, Lahari Guntha <lahari.guntha at tcs.com
> <mailto:lahari.guntha at tcs.com><mailto:lahari.guntha at tcs.com<mailto:l
> ahari.guntha at tcs.com>><mailto:lahari.guntha at tcs.com<mailto:l
> ahari.guntha at tcs.com><mailto:lahari.guntha at tcs.com<mailto:la
> hari.guntha at tcs.com>>><mailto:lahari.guntha at tcs.com<mailto:l
> ahari.guntha at tcs.com><mailto:lahari.guntha at tcs.com<mailto:la
> hari.guntha at tcs.com>><mailto:lahari.guntha at tcs.com<mailto:la
> hari.guntha at tcs.com><mailto:lahari.guntha at tcs.com<mailto:lah
> ari.guntha at tcs.com>>>>> wrote:
> Hi All,
>
>
>
> We are using keycloak of version 3.3.0.CR2.
>
> I have my Keycloak integrated with LDAP.
>
> I have configured  many applications to have SSO with Keycloak. I have
> done all the configuration to have LDAP integration with Keycloak. I have
> also configured Group mappers so that groups from LDAP are also synced to
> LDAP.
>
> eg:
>
> Users in LDAP:  "user1"
>
> Groups in LDAP:  "group1","group2"
>
>
> When i login into one of my application that is configured to have SSO
> with keycloak with user "user1" that is present in group "group1"...that
> user entry gets shown in  the Keycloak UI page and we can also see the
> groups mapped to it.
>
>
> Now I add the user "user1" into another group "group2"...
>
> But now the newly added group is not reflected when click on User> Group
> Mapping.
>
>
> Why Is this happening??
>
>
> What is the solution to continuously sync the users with the groups they
> are present in/added newly automatically????
>
>
> Thanks,
>
> Lahari
> =====-----=====-----=====
> Notice: The information contained in this e-mail
> message and/or attachments to it may contain
> confidential or privileged information. If you are
> not the intended recipient, any dissemination, use,
> review, distribution, printing or copying of the
> information contained in this e-mail message
> and/or attachments to it are strictly prohibited. If
> you have received this communication in error,
> please notify us by reply e-mail or telephone and
> immediately and permanently delete the message
> and any attachments. Thank you
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org
> ><mailto:keycloak-user at lists.jboss.org<mailto:ke
> ycloak-user at lists.jboss.org>><mailto:keycloak-user at lists.jboss.org<mailto:
> keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<
> mailto:keycloak-user at lists.jboss.org>>><mailto:keycloak-
> user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org
> >><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.
> jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:ke
> ycloak-user at lists.jboss.org>>>>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org
> ><mailto:keycloak-user at lists.jboss.org<mailto:ke
> ycloak-user at lists.jboss.org>><mailto:keycloak-user at lists.jboss.org<mailto:
> keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<
> mailto:keycloak-user at lists.jboss.org>>>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org
> ><mailto:keycloak-user at lists.jboss.org<mailto:ke
> ycloak-user at lists.jboss.org>>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list