[keycloak-user] User Storage SPI/LDAP Provider and groups

[Błażej Adamczyk]

Hi all, 

I want to extend user AND GROUP scheme with my own custom attributes
and data model to fit it to the use case.

I see several options here:
1) Extend the existing Keycloak entities with custom attributes (very
simple, but the attribute bag pattern seems to generic here?) 
2) Use the User Storage API to map my own user/group entities to
Keycloak (similarily like the quickstart "user-storage-jpa")
   2.1) Use import strategy - this probably would work well but it
seems it is overcomplicating the architecutre (two schemas,
synchronization etc.)
   2.2) Use non-import strategy - this seems more relevant for my need
but I have a need to override not only users but also groups.


And finally the question: 2.2 seems fine but after looking through the
interfaces and looking through the ldap code I'm not sure how groups
are working in federated example when import is off. 

The code seems to relate everywhere to existing keycloak groups, the
only place which I could find the groups are created is in
GroupLDAPStorageMapper (updateKeycloakGroupTree.., and syncDataFrom..
methods). These are called by specific REST sync URL or by the import
strategy (which in 2.2 is off). 

Are the groups somehow automatically created when a group mapper is on
and import off? If so, how is the groups view in console working - is
it showing all LDAP groups? Or just those which were automatically
imported when user groups were accessed?

Also, can you please generally suggest which of the above options (1,
2.1 or 2.2) is better in my scenario and why?


-- 
Best regards, 
Blazej Adamczyk