Closed omasseau closed 8 months ago
This seems like an API issue to me, the Admin Console requests the users from the REST API, but they are simply not returned.
I have also the problem with the 'Realms roles' screen. Here you can see that I have at least one user having the role 'AOF' :
When I go in the 'Realms roles' screen, in the 'Users' tab it says that no users are mapped to the role... :
Hum even the API is wrong :
More infos : I noticed I also cannot unassign the role :
2023-11-24 15:04:39,877 WARN [org.keycloak.services.resources.admin.RoleMapperResource] (executor-thread-168) Not possible to delete role. It's hardcoded by LDAP mapper: org.keycloak.models.ModelException: Not possible to delete role. It's hardcoded by LDAP mapper
The problem was also reproduced with an older version of Keycloak (15). It seems we have the problem only when the associated role comes from an harcoded ldap role mapper.
@omasseau Please don't mix things as we are talking about two different issues.
@jonkoops @omasseau AFAIK the admin UI just shows the list of users if there are no user storage providers configured in the realm. See here. I don't know when this was introduced but I remember working like this long ago.
@omasseau The HardcodedLDAPRoleStorageMapper adds the role to the user representation without really adding it to the database. So what you are seeing is expected. The user will be reported to be in that role (also in tokens and so on and so forth), but it cannot be deleted or appears in the role.
@omasseau Please don't mix things as we are talking about two different issues.
Sorry, but I thought they could be related (one being the consequence of the other). This is why I continued to add informations in the same thread ;)
@omasseau The HardcodedLDAPRoleStorageMapper adds the role to the user representation without really adding it to the database. So what you are seeing is expected. The user will be reported to be in that role (also in tokens and so on and so forth), but it cannot be deleted or appears in the role.
OK I understand. But is it also expected that no users at all are reported in the role (wether through the UI or through the Admin API) when it is an harcoded role ?
There are no users at all displayed because I suppose the role is not directly assigned to any user, all the users are using the HardcodedLDAPRoleStorageMapper
which is like a ghost assignment. If you create a db user and assign the role normally to that user, the user will be appear in the role.
Entering * to show all users when you use LDAP is indeed an expected behaviour. We changed it since Keycloak 22 (issue https://github.com/keycloak/keycloak/issues/17294). Thus this is not a bug.
~invalid
~invalid
Thanks for reporting this issue. However, after review this is not considered a valid issue, or has been recently resolved.
As the issue is not valid it will be automatically closed.
Before reporting an issue
Area
admin/ui
Describe the bug
When users are imported from LDAP they are not displayed in the Users screen :
To make them appear it is mandatory to perform a search :
I don't know if it should work this way but in the previous Keycloak version I've used (Keycloak 15) it was not mandatory to do a search to see the users.
Version
22.0.5
Expected behavior
All users should be displayed when entering the Users screen.
Actual behavior
The only way to display all users is to manually search each time with the '*' expression. This is not a great UX.
How to Reproduce?
Import users from LDAP. Go the Users screen Stare at the empty screen.
Anything else?
No response