Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-11501

Cannot delete users after setting "Custom User LDAP Filter"

    Details

    • Steps to Reproduce:
      Hide

      1) Set-up a keycloak server
      2) Under User Federation, add LDAP (Active Directory)
      3) Configure it minimally, with no "Custom User LDAP Filter" and edit mode as READ_ONLY (or with a user with no writing privileges to the LDAP server)
      4) Synchronize all users
      5) Add any custom user LDAP filter which reduces the user count - like " (&(objectClass=user)(objectCategory=Person)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2)))"
      6) Synchronize again (you'll see a reduced amount of users synchronized)
      7) Try to delete any "left-over" (any user not included under the newer, smaller, user list)

      Show
      1) Set-up a keycloak server 2) Under User Federation, add LDAP (Active Directory) 3) Configure it minimally, with no "Custom User LDAP Filter" and edit mode as READ_ONLY (or with a user with no writing privileges to the LDAP server) 4) Synchronize all users 5) Add any custom user LDAP filter which reduces the user count - like " (&(objectClass=user)(objectCategory=Person)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2)))" 6) Synchronize again (you'll see a reduced amount of users synchronized) 7) Try to delete any "left-over" (any user not included under the newer, smaller, user list)
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      I first set-up the user federation as "LDAP - Active Directory" with default/suggested import/sync users. Later, I wrote a "Custom User LDAP Filter" to reduce the amount of users imported using (avoiding computer accounts, groups and disabled accounts):
      (&(objectClass=user)(objectCategory=Person)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2)))

      Keycloak console reports a smaller amount of users synchronized (ok). But:
      1) None of the previously imported users get deleted locally (makes sense as they still exist)
      2) I can't delete any of them on keycloak side, even aware they won't be synchronized thereafter (due to the custom LDAP Filter) - console warns me this is not allowed because that user will be imported on next sync (but won't, because of the custom filter)
      3) There is a "delete all local users", but don't know how this will affect local groups and role assignments - I think I would need to reassign EVERYTHING.

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                iankko Ján Lieskovský
                Reporter:
                clayton.aguiar Clayton Aguiar
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: