Closed jekahn closed 9 months ago
Ah I see. This is no configuration problem but might hopefully be solved with a configuration. the SCIM for Keycloak plugin is looking directly on the database for user-group-relationships forgetting that there might be a user-federation between. This was done due to some testcases with poor performance. Unfortunately I didn't think twice that I would exclude federations in this way. If I look into the keycloaks ldap configuration it seems that only users can be synced with the keycloak-database. Or is it possible to also synchronize the groups?
If groups cannot be synced I will need to add an additional solution for this problem. But this might effect performance to a certain degree based on how much the SCIM endpoints are used and how many users are assigned to a group.
Hi 👋 @Captain-P-Goldfish ! Appreciate the feedback!
I was able to sync both -- and I can see the membership in the KeyCloak Admin Console.
I can see the relationship between User and Groups on both:
Im not sure if there is something different to make sure they groups are synced.
I tried messing around with the mode on the group-mapper -- and I assume they would be synced to the DB.
Okay, I was able to find the source of the problem. When the groups are synchronized from LDAP to keycloak the group-relations are not. They are accessed from the LDAP directly and cached afterwards to have a better and faster access to these mappings. I can fix this issue. I should have it ready until the start of next week.
You are the best! Thanks so much! Saves me from recreating all the users!
I added a new configuration option that allows to toggle between the two implementations. The explanation can be seen on the screenshot. So if I provide the next release you need to explicitly toggle this feature on.
Thank you so much! Appreciate the speedy work!
I will look out for the updated jar!
Tested the Updated Jar!
It works perfect! Thanks so much!
{ "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User" ], "id": "39c8ae29-c1a2-4985-b2b5-80546b39fcce", "userName": "ceadmin", "active": true, "emails": [ { "value": "ceadmin@sample", "primary": true } ], "name": { "familyName": "CEAdmin" }, "groups": [ { "value": "9be1b07e-db39-4d8e-92cc-fc6bb3b6a7bc", "display": "AllSharedUsers", "type": "direct" }, { "value": "114d862d-4bcb-43db-82ac-5ecc243eeb30", "display": "P8Admins", "type": "direct" }, { "value": "907bbdd1-7f3c-418b-82ab-c6e301c7ba6a", "display": "OSAdminGroup", "type": "direct" }, { "value": "0c12e429-aad9-40d9-955b-3604626082a8", "display": "CEAdminGroup", "type": "direct" } ],
Hi all!
Hopefully this is a quick misconfiguration issue. Seems when I load User & Groups from an LDAP, the
Get User SCIM
call doesnt return the groups or theGet Groups SCIM
call, doesn't return the members.I can see in the KeyCloak admin UI, the membership is fine on both.
When I create a user and group in the UI (not imported) everything comes back fine.
Thanks all!
Appreciate any help!