keycloak / keycloak

Open Source Identity and Access Management For Modern Applications and Services
https://www.keycloak.org
Apache License 2.0
23.79k stars 6.83k forks source link

Delete Roles on Keycloak when deleted from FreeIPA #14757

Open Joncheski opened 2 years ago

Joncheski commented 2 years ago

Describe the bug

Hello,

I have done FreeIPA federation with Keycloak, and additionally I have put LDAP Mappers for Roles. But it doesn’t work if I delete Roles on FreeIPA, it doesn’t delete it on Keycloak side. But the same scenario happens if I delete Roles on Keycloak does not transfer to FreeIPA.

In the context of the same LDAP mapper, when a new role is added, in Client Roles, it is Available Roles, and does not go to Assigned Roles. It should be manually added to Assigned Roles. Can it be changed to go to Assigned Roles?

Keycloak Server Version - 16.1.1

LDAP mapper details: Mapper Type - role-ldap-mapper LDAP Roles DN - cn=roles,cn=accounts,dc=###,dc=### Role Name LDAP Attribute - cn Role Object Classes - groupOfNames Membership LDAP Attribute - member Membership Attribute Type - DN Membership User LDAP Attribute - uid Mode - LDAP_ONLY User Roles Retrieve Strategy - LOAD_ROLES_BY_MEMBER_ATTRIBUTE Member-Of LDAP Attribute - memberOf

Normally I do a sync. (Sync Ldap Roles To Keycloak, Synchronize all users and Synchronize changed users)

Image in attachment https://canada1.discourse-cdn.com/free1/uploads/keycloak/original/2X/0/0e626a5b929599ecdbfb06e4b6e93f1b911069ae.png

Best regards, Goce Joncheski

Version

16.1.1

Expected behavior

When Freeipa's Roles are deleted, the same Roles should also be deleted on Keycloak's side.

Actual behavior

All roles are synchronized, but if a role is deleted in FreeIPA, it is not deleted on keycloak, only roles are added.

How to Reproduce?

To replicate all Roles that are in FreeIPA. To be added and deleted depending on the situation.

Anything else?

No response

hmlnarik commented 1 year ago

@Joncheski Does this work correctly if you manually sync (click the "Sync" buttons)?

Joncheski commented 1 year ago

@hmlnarik No, even if I do the synchronization manually it doesn't work.

hmlnarik commented 1 year ago

Updating the roles is unfortunately not supported in the legacy LDAP, see KEYCLOAK-3923 and KEYCLOAK-4498.

Switching to a feature request.