Hi,
we are connecting our Keycloak instance to AD and it’s configured so changes in AD get stored in Keycloak’s Database. The final goal is to have our Application’s DB synchronised and we are succeeding so far, except for the User Group Memberships.
FACTS:
-
A Group Mapper has been created, connecting it to AD. We have tried with the 3 available modes:
LDAP_ONLY
,READ_ONLY
andIMPORT
with no success in any case. -
When we add or remove a Group from a user in AD (with no other change) and in User Federation we sync for “changed users”, Group changes are not detected at all (
Sync of users finished successfully.0 users added, 0 users updated, 0 users removed, 0 users failed.
). -
We have created a custom Event Listener. When synching, no normal Event is dispatched. An Admin Event is dispatched but no info about the User neither about the Group comes with the Event (only Info about the Realm).
-
A custom implementation of
LDAPStorageMapper
has been done. None of the methods are executed when synching and only Group changes were done in AD (I would expect at leastsyncDataFromFederationProviderToKeycloak
to be executed). -
Keycloak Tables
USER_GROUP_MEMBERSHIP
andFED_USER_GROUP_MEMBERSHIP
are empty. Even after trying with all the aforementioned ModesLDAP_ONLY
,READ_ONLY
andIMPORT
. -
When going to User Details in Keycloak, tab Groups:
- With mode
LDAP_ONLY
no need for sync. The Groups show up there updated before synching. - With mode
IMPORT
. No Group is shown, neither before nor after synching. - With mode
READ_ONLY
. Groups are shown, but for them to be updated Users changed sync need to be don.
- With mode
All we need is to find out which users were changed since last sync so we can update their Groups. Any tip on that? Am I missing any table, event, configuration… for that?
Any help is greatly appreciated.