[LDAP] Listen on newly imported users

Hi,

I would like to implement an event listener, which will be activated by newly synced from LDAP.

I already implemented an event listener based on this tutorial: https://dev.to/adwaitthattey/building-an-event-listener-spi-plugin-for-keycloak-2044

Unfortunately, this basic event listener does not catch syncs from LDAP.

I just found the following in the logs:

INFO  [org.keycloak.storage.ldap.LDAPStorageProviderFactory] (Timer-2) Sync all users from LDAP to local store: realm: reha-plan, federation provider: test
INFO  [org.keycloak.storage.ldap.LDAPStorageProviderFactory] (Timer-2) Sync all users finished: 2 imported users, 0 updated users

My goal is to catch these events and perform an external API call.

Does someone have a suggestion on how to implement this use case?

Best regards
Max

Hi Max,

AFAICT there are no events fired after LDAP synchronization at the moment (KC 9.0.0). I’d try to implement a custom provider inheriting from LDAPStorageProviderFactory which overrides the org.keycloak.storage.ldap.LDAPStorageProviderFactory#syncImpl method. With this you can run your custom logic.

It might also be enough to override org.keycloak.storage.ldap.LDAPStorageProviderFactory#sync and org.keycloak.storage.ldap.LDAPStorageProviderFactory#syncSince.

Added KEYCLOAK-13195 Add event to signal the end of an synchronization run to track this.

Cheers,
Thomas

Hi Thomas,

thank you very much for the fast answer!

Do you know which maven dependency I have to include in my Java project in order to override the org.keycloak.storage.ldap.LDAPStorageProvider:snyc method?

Best regards,
Max

Hi,

Were you able to get this done?. I would like to do something similar.

Regards,
Ashish

Hi,

Unfortunately not. I implemented the sync job to LDAP on my own in a Spring Java Project by using the Keycloak library.

Regards,
Max

Thanks for replying. I have started doing something similar.

Regards,
Ashish

You can tap into the onImportUserFromLDAP in the LDAPStorageMapper SPI to achieve what you want.
See my article on this: Keycloak: Event Listener SPI for LDAP / User Federation Sync | by Ivancheahkf | Sep, 2022 | Medium

I’ve just implemented the idea of using onImportUserFromLDAP following that article (thanks, btw ) . however I am facing a kind of funny situation. Because I am running several replicas, when a user is updated, I get one message/event for each replica, because the LDAP federation sync is run in each replicate. I hadn’t realized this before ( Keycloack 16 , but I do not think here the version matters )

When using the console I create a user, the event is just one, because you use one of the instances. But the federation replication runs in each replica independently.

It might be the solution to this is something trivial, but at this moment I am a bit scratching my head about this.

I have a solution
Yes, each replica will run the Federation LDAP sync, and, of course, will trigger the corresponding event.
Now, I was having this problem because I was deployong the two replicas in the k8s cluster at the same time, all replicas were created at the same time.
Now , if “spread” the replicas in time, what will happen is when one of the replicas sync period kicks in , it will update the data, but , for the next replica the data is already updated so no update/create event will happen.
So, basically, the solution is not to have all the replicas created at the same time