[keycloak-user] Group LDAP Storage Mapper
Jan Lieskovsky
jlieskov at redhat.com
Fri Aug 23 05:39:11 EDT 2019
Hey Travis,
thanks for checking.
On Fri, Aug 23, 2019 at 8:49 AM Travis De Silva <traviskds at gmail.com> wrote:
> Hi,
>
> Isn't there any way to update the USER_GROUP_MEMBERSHIP table when an LDAP
> group mapper period sync runs?
>
> As per a comment from @Marek Posolda <mposolda at redhat.com> in this Jira
> comment https://issues.jboss.org/browse/KEYCLOAK-4918 and also by going
> over the code in
>
> https://github.com/keycloak/keycloak/blob/master/federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/membership/group/GroupLDAPStorageMapper.java
> line
> 596, looks like Keycloak will upgrade the LDAP group membership only when
> the group mapper is created initially when synced. All other subsequent
> calls are not updating the table.
>
> Any idea why this condition is there?
>
From
https://www.keycloak.org/docs/latest/server_admin/index.html#sync-of-ldap-users-to-keycloak
:
*"As users log in, the LDAP provider will import the LDAP user into the
Keycloak database and then authenticate against the LDAP password. This is
the only time users will be imported. If you go to the Users left menu item
in the Admin Console and click the View all users button, you will only see
those LDAP users that have been authenticated at least once by Keycloak. It
is implemented this way so that admins don’t accidentally try to import a
huge LDAP DB of users."*
Since LDAP group sync is time / performance expensive operation, assuming
it's implemented this way not to negatively paralyse / impact the Keycloak
performance within period sync runs by mistake.
See "*Sync of LDAP users to Keycloak
<https://www.keycloak.org/docs/latest/server_admin/index.html#sync-of-ldap-users-to-keycloak>*"
docs section for additional guidance & list of available sync options.
>
> Cheers
> Travis
>
Regards, Jan
More information about the keycloak-user
mailing list