[keycloak-user] User federation via AD/LDAP - how to handle deleted users?
Marek Posolda
mposolda at redhat.com
Tue Jan 15 13:47:46 EST 2019
Hi Thomas,
On 15/01/2019 12:32, Thomas Darimont wrote:
> Hello,
>
> currently, Keycloak (up to 4.8.2) does not handle the case where a user is
> deleted in the federated user-store when the built-in LDAP / AD federation
> provider is used.
>
> The relevant code is located within the LDAPStorageProviderFactory:
> https://github.com/keycloak/keycloak/blob/c4a46a5591471893db8428a5707c2d9547a554a3/federation/ldap/src/main/java/org/keycloak/storage/ldap/LDAPStorageProviderFactory.java#L430
>
> There is a TODO which reads:
> // TODO: Remove all existing Keycloak users, which have federation links,
> but are not in LDAP. Perhaps don't check users, which were just added or
> updated during this sync?
>
> I wonder what would be the right thing to do in this case..
> If the federated user-store dictates the truth, then IMHO the right thing
> to do would be to also delete the user that is associated with the
> user-storage provider federation link in Keycloak, if the linked AD / LDAP
> user was deleted.
yes, when you click the "Sync users" button, the users, which were
deleted in LDAP, won't be directly deleted in Keycloak. However when you
do any action in Keycloak related to that particular user (EG. attempt
to login as that user or search the user from admin console), then user
will be deleted from Keycloak DB and can't be seen in Keycloak anymore.
See UserStorageManager.importValidation and LDAPStorageProvider.validate
methods.
Marek
>
> How do you handle this situation in your systems?
>
> Cheers,
> Thomas
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list