Open minijaws opened 2 years ago
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Any update about this ?
Is this by design? Is the LDAP synchronization only a one-time import process?
Is this by design? Is the LDAP synchronization only a one-time import process?
LDAP keeps syncing so new users and changes are reflected. It is not a one-time process. The issue is about removing users.
To solve this Authentik would have to store the source where a user came from in the attributes. After each sync Authentik would then have to check every user with that attribute whether it is still included in the new set of users synced from LDAP. With Postgres jsonb which is used for attributes this should not be too big of a performance impact. Otherwise this might require a separate table.
There is also the question what to do when a user which was manually created is then also existing in an LDAP sync? Should that be persisted once it is no longer part of the LDAP sync or should it then be removed?
Regardless, this is an important issue and one we are currently debating how we feel about it before we roll out Authentik to production. In our case all users come from LDAP so a simplified version or in the worst case some hacky cron job might do the trick for us.
I personally have a simple script that runs periodically and checks the list of users in a given LDAP provider (by slug) against the users in a Authentik user path. Authentik users not found in the LDAP server are disabled.
My use case and setup are very basic, where LDAP is the source of true. Only one LDAP server and a fixed user path for them in Authentik.
Would love to retire my script and have an option in Authentik to 'disable' (or delete) users from that LDAP server when they no longer exists at the source
would you mind to share how you realized the script to point my into the right direction to apply this workaround myself. Is it running in authentik or a cronjob?
Describe the bug Users and groups continue to exist after deleting them from LDAP
To Reproduce Steps to reproduce the behavior:
Expected behavior User and or Group should be removed from Authentik when the LDAP provider no longer returns them from the query
Version and Deployment (please complete the following information):
Additional context Initially discovered when altering LDAP user filter to remove some unneeded accounts