Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-5017

Adding user to newly created group incurs full LDAP group sync

    Details

    • Docs QE Status:
      NEW
    • QE Status:
      ASSIGNED

      Description

      With LDAP user federation handling users and groups, adding a user to a newly created group causes the group mapper to perform a full sync of groups to ldap. During a full group sync, the entirety of every group entry in LDAP gets rewritten even if none of that entry's attributes have changed. This is problematic in our environment for a few reasons:

      • We have 10,000+ groups, the RESTful call to add a user to a new group can take full minutes to return
      • RESTful calls to other nodes in the meantime may incur an Infinispan replication timeout, and we cannot prevent request delivery to faulting nodes due to case 01721387
      • Rewriting unchanged LDAP entries places an unnecessary load on LDAP multi-master replication

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  mposolda Marek Posolda
                  Reporter:
                  mposolda Marek Posolda
                  Tester:
                  Mark True
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  3 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: