[keycloak-user] User Federation - LDAP - syncronize changed users

Travis De Silva traviskds at gmail.com
Wed May 8 00:49:18 EDT 2019


On further research, I believe this is done using cookies.

I can see the below keycloak class setting cookies
https://github.com/keycloak/keycloak/blob/master/federation/ldap/src/main/java/org/keycloak/storage/ldap/idm/store/ldap/LDAPOperationManager.java

Also, Microsoft has the below
https://docs.microsoft.com/en-us/windows/desktop/ad/polling-for-changes-using-the-dirsync-control

I am assuming for this to work, on the Microsoft Active Directory side, it
needs to support this concept. If they don't, won't it just do a full sync
rather than not sync?


On Wed, May 8, 2019 at 11:54 AM Travis De Silva <traviskds at gmail.com> wrote:

> Hi
>
> We have a user federation setup that connects to Microsoft Active
> Directory (AD)
>
> We are having an issue where when user attributes such as "memberof" or
> extension attributes are updated, it does not update it in keycloak. We
> have the synchronize changed users set to activate every half an hour.
>
> How does Keycloak identify if the user has changed in AD? Are you using
> the AD attribute "whenChanged" or is it some other attribute?
>
> Appreciate any help.
>
> Cheers
> Travis
>
>


More information about the keycloak-user mailing list