Open headstack opened 1 year ago
ChandonPierre
commented
1 year ago There is nothing in the LDAP sync code to handle cleaning up previously synced users and groups that no longer exist; at least as far as I am aware.
I agree it would be a nice to have
terion-name
commented
1 year ago Yes, there should be an option to enable this
phauch
commented
9 months ago Even though there is nothing in the LDAP sync code to handle this, it is not impossible to implement this functionality. The LDAP sync already fetches every user it finds, and if the user already exists in Authentik, it gets updated. If the user does not exist, a new user is created in Authentik.
So, why not use this to compare the list of users fetched from LDAP against the list of users in Authentik? This way, users that exist only in Authentik (with the appropriate slug) and not in the LDAP site can be identified and deleted from Authentik.
Currently, we are evaluating how to address this scenario. With a significant number of users joining and leaving within a year, it's crucial to ensure that if a user is deleted, it is also removed from Authentik. Otherwise, the user would still have access to their resources, and we would not be GDPR compliant.
pubyun
commented
5 months ago we need a function to easy identify those users in Authentik that are not in LDAP source.
so we can delete those users easily.
it's good if Authentik provide an switch which it can disable users which are not in LDAP source.
Is your feature request related to a problem? Please describe. I delete a group on FreeIPA then click the SYNC button on Authentik's LDAP Federation. Sitting and waiting for Authentik is going to delete the group, but it isn't doing that.
I've got the following schema:
Describe the solution you'd like Please, add functionality that could store all the entities, that Authentik is getting from the external LDAP catalog, up to date.
Describe alternatives you've considered .
Additional context Authentik version: 2023.6.1 Deployment type: K8S