Hi,
I have some questions regarding how Keycloak works with a user federation linked to AD. Imagine the AD as follows:
- OU=Users
- OU=GroupA, OU=Users
- OU=Admins, OU=GroupA, OU=Users
- OU=Computers, OU=GroupA, OU=Users
- OU=ServiceAccounts, OU=GroupA, OU=Users
- OU=Users, OU=GroupA, OU=Users
- OU=GroupB, OU=Users
- OU=Admins, OU=GroupB, OU=Users
- OU=Computers, OU=GroupB, OU=Users
- OU=ServiceAccounts, OU=GroupB, OU=Users
- OU=Users, OU=GroupB, OU=Users
etc
- OU=GroupA, OU=Users
Our current users DN is set to OU=Users and we’ve noticed that upon creating a user federation we see some accounts start appearing in our realm user list (when we check with *). These are just some random users that are in our AD, usually coming from one of the Admins OUs (although I have noticed a user and a computer appearing in the list as well). This happens before clicking on the “sync users” button.
To make everything a bit clear I’m going to give an example of how my account works. When we initially create the user federation my account doesn’t appear in the list when I use * as a search term, however my account does appear if I specifically search for my account name and afterwards it also starts appearing in the * list. As you can see my browser search returns 0 results for my name
But if I then search for my own account in the user list I do find it.
Afterwards I appear in the * list (I’m not sure why my first name is my last name here but I don’t think its important).
I’m assuming this is intended behaviour where the * operator only searches for synced accounts whereas searching for a specific username searches the user federation and syncs the user if its found?
Anyway back to these random accounts, if I create a new realm and add our user federation to it a subset of objects immediately appears in the * list (these are always the same 30ish objects), clicking on one of them gives me an error “Could not find the resource that you are looking for”:
However if I then search for the account name and click on it I don’t get an error at all, instead I get the usual user details screen, afterwards the account also works when searching for * and clicking on it. So these accounts are “broken” until I do a search for them which “fixes” them.
This also has an annoying effect which is that these users cannot be deleted until I search for their account, as doing so gives me the error that the user doesn’t exist. After searching for their username they can be deleted.
One final thing I want to highlight is that the user id seems to change whenever I refresh the page. It’s pretty hard to showcase this as I have to censor our user accounts but here you can see the user starting with adm_v
has a user id starting with 0b.
However if I refresh my page and search for * again the user gets a totally new user id (as well as every other user in a “broken” state).
After “fixing” their account by searching for their account name the user id stops changing.
So that leaves me with 2 questions:
- Why does this subset of users appear when creating an identity provider? I would expect it to either be empty (as no sync has happened) or to contain all our users (after a sync has happened). Maybe as a follow-up question why do computers also appear in this list?
- Why do these users not work until I specifically search for them? With everything I’ve added (users not being found, changing user ids) I think its safe to assume this is a bug of some kind?
I’m not sure if this is the best place to post these questions as I’m not sure if this is intended and/or known behavior or not, if I should post this somewhere else feel free to let me know.