keycloak / keycloak

Open Source Identity and Access Management For Modern Applications and Services
https://www.keycloak.org
Apache License 2.0
23.18k stars 6.73k forks source link

Users imported from LDAP are not displayed in the Users screen (only appears when performing a search) #25005

Closed omasseau closed 8 months ago

omasseau commented 11 months ago

Before reporting an issue

Area

admin/ui

Describe the bug

When users are imported from LDAP they are not displayed in the Users screen :

image

To make them appear it is mandatory to perform a search : image

I don't know if it should work this way but in the previous Keycloak version I've used (Keycloak 15) it was not mandatory to do a search to see the users.

Version

22.0.5

Expected behavior

All users should be displayed when entering the Users screen.

Actual behavior

The only way to display all users is to manually search each time with the '*' expression. This is not a great UX.

How to Reproduce?

Import users from LDAP. Go the Users screen Stare at the empty screen.

Anything else?

No response

jonkoops commented 11 months ago

This seems like an API issue to me, the Admin Console requests the users from the REST API, but they are simply not returned.

omasseau commented 11 months ago

I have also the problem with the 'Realms roles' screen. Here you can see that I have at least one user having the role 'AOF' : image

When I go in the 'Realms roles' screen, in the 'Users' tab it says that no users are mapped to the role... : image

omasseau commented 11 months ago

Hum even the API is wrong : image

omasseau commented 11 months ago

More infos : I noticed I also cannot unassign the role :

image

2023-11-24 15:04:39,877 WARN [org.keycloak.services.resources.admin.RoleMapperResource] (executor-thread-168) Not possible to delete role. It's hardcoded by LDAP mapper: org.keycloak.models.ModelException: Not possible to delete role. It's hardcoded by LDAP mapper

omasseau commented 11 months ago

The problem was also reproduced with an older version of Keycloak (15). It seems we have the problem only when the associated role comes from an harcoded ldap role mapper.

rmartinc commented 11 months ago

@omasseau Please don't mix things as we are talking about two different issues.

@jonkoops @omasseau AFAIK the admin UI just shows the list of users if there are no user storage providers configured in the realm. See here. I don't know when this was introduced but I remember working like this long ago.

@omasseau The HardcodedLDAPRoleStorageMapper adds the role to the user representation without really adding it to the database. So what you are seeing is expected. The user will be reported to be in that role (also in tokens and so on and so forth), but it cannot be deleted or appears in the role.

omasseau commented 11 months ago

@omasseau Please don't mix things as we are talking about two different issues.

Sorry, but I thought they could be related (one being the consequence of the other). This is why I continued to add informations in the same thread ;)

omasseau commented 11 months ago

@omasseau The HardcodedLDAPRoleStorageMapper adds the role to the user representation without really adding it to the database. So what you are seeing is expected. The user will be reported to be in that role (also in tokens and so on and so forth), but it cannot be deleted or appears in the role.

OK I understand. But is it also expected that no users at all are reported in the role (wether through the UI or through the Admin API) when it is an harcoded role ?

rmartinc commented 11 months ago

There are no users at all displayed because I suppose the role is not directly assigned to any user, all the users are using the HardcodedLDAPRoleStorageMapper which is like a ghost assignment. If you create a db user and assign the role normally to that user, the user will be appear in the role.

martin-kanis commented 8 months ago

Entering * to show all users when you use LDAP is indeed an expected behaviour. We changed it since Keycloak 22 (issue https://github.com/keycloak/keycloak/issues/17294). Thus this is not a bug.

~invalid

stianst commented 8 months ago

~invalid

keycloak-github-bot[bot] commented 8 months ago

Thanks for reporting this issue. However, after review this is not considered a valid issue, or has been recently resolved.

As the issue is not valid it will be automatically closed.