Open minijaws opened 2 years ago
stale[bot]
commented
2 years ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Zegorax
commented
2 years ago Any update about this ?
KamistixX
commented
2 years ago Is this by design? Is the LDAP synchronization only a one-time import process?
xpufx
commented
2 years ago Is this by design? Is the LDAP synchronization only a one-time import process?
LDAP keeps syncing so new users and changes are reflected. It is not a one-time process. The issue is about removing users.
septatrix
commented
1 year ago To solve this Authentik would have to store the source where a user came from in the attributes. After each sync Authentik would then have to check every user with that attribute whether it is still included in the new set of users synced from LDAP. With Postgres jsonb which is used for attributes this should not be too big of a performance impact. Otherwise this might require a separate table.
There is also the question what to do when a user which was manually created is then also existing in an LDAP sync? Should that be persisted once it is no longer part of the LDAP sync or should it then be removed?
Regardless, this is an important issue and one we are currently debating how we feel about it before we roll out Authentik to production. In our case all users come from LDAP so a simplified version or in the worst case some hacky cron job might do the trick for us.
diogosalazar
commented
2 months ago I personally have a simple script that runs periodically and checks the list of users in a given LDAP provider (by slug) against the users in a Authentik user path. Authentik users not found in the LDAP server are disabled.
My use case and setup are very basic, where LDAP is the source of true. Only one LDAP server and a fixed user path for them in Authentik.
Would love to retire my script and have an option in Authentik to 'disable' (or delete) users from that LDAP server when they no longer exists at the source
janwels89
commented
2 months ago would you mind to share how you realized the script to point my into the right direction to apply this workaround myself. Is it running in authentik or a cronjob?
Describe the bug Users and groups continue to exist after deleting them from LDAP
To Reproduce Steps to reproduce the behavior:
Expected behavior User and or Group should be removed from Authentik when the LDAP provider no longer returns them from the query
Version and Deployment (please complete the following information):
Additional context Initially discovered when altering LDAP user filter to remove some unneeded accounts