[keycloak-user] User federation via AD/LDAP - how to handle deleted users?

[Thomas Darimont]

Thanks Marek!

Cheers,
Thomas

Am Di., 15. Jan. 2019 um 19:47 Uhr schrieb Marek Posolda <
mposolda at redhat.com>:

> Hi Thomas,
>
> On 15/01/2019 12:32, Thomas Darimont wrote:
> > Hello,
> >
> > currently, Keycloak (up to 4.8.2) does not handle the case where a user
> is
> > deleted in the federated user-store when the built-in LDAP / AD
> federation
> > provider is used.
> >
> > The relevant code is located within the LDAPStorageProviderFactory:
> >
> https://github.com/keycloak/keycloak/blob/c4a46a5591471893db8428a5707c2d9547a554a3/federation/ldap/src/main/java/org/keycloak/storage/ldap/LDAPStorageProviderFactory.java#L430
> >
> > There is a TODO which reads:
> > // TODO: Remove all existing Keycloak users, which have federation links,
> > but are not in LDAP. Perhaps don't check users, which were just added or
> > updated during this sync?
> >
> > I wonder what would be the right thing to do in this case..
> > If the federated user-store dictates the truth, then IMHO the right thing
> > to do would be to also delete the user that is associated with the
> > user-storage provider federation link in Keycloak, if the linked AD /
> LDAP
> > user was deleted.
>
> yes, when you click the "Sync users" button, the users, which were
> deleted in LDAP, won't be directly deleted in Keycloak. However when you
> do any action in Keycloak related to that particular user (EG. attempt
> to login as that user or search the user from admin console), then user
> will be deleted from Keycloak DB and can't be seen in Keycloak anymore.
> See UserStorageManager.importValidation and LDAPStorageProvider.validate
> methods.
>
> Marek
>
> >
> > How do you handle this situation in your systems?
> >
> > Cheers,
> > Thomas
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>