-
Feature
-
Resolution: Unresolved
-
Undefined
-
None
-
None
-
False
-
-
False
-
Not Selected
Narrative
When a user is removed directly from the LDAP by LDAP administrator, Keycloak checks that the user is not available in the LDAP anymore and so proceeds to delete the user from Keycloak database itself.
Keycloak does not even throw and log an event that a particular user was deleted from LDAP. It simply goes for a silent deletion of the user.
In some environments, customers may want to retain the user in the Keycloak database, even after the same user is deleted from the LDAP backend, no matter the import mode settings or if sync mode is enabled or not.
So when using a LDAP 'user federation', we need to provide admins with the options to preserve or delete (default) data of those deleted LDAP users.
Value Proposition
- Due to auditing or other compliance requirements, some organizations need to keep track of their users data up to a certain period of time (for days, months, or even years). These organizations may only delete user manually (via API with a supporting document recorded), but not automatically. The auditing and compliance policies can be applied to internal applications/products only.
- Governance/Business requirements to preserve deleted staffs data.
Goals
- Ability for admins to preserve users deleted from LDAP, or otherwise opt to delete them by default from the database as to when deleted from the LDAP.
- Log an event in the case that Keycloak detects that an user was deleted in LDAP.
Implementation note
- References to existing issues/discussions:
-> https://github.com/keycloak/keycloak/issues/25421
-> https://github.com/keycloak/keycloak/issues/29368
-> https://github.com/keycloak/keycloak/issues/24669
-> https://github.com/keycloak/keycloak/discussions/27772
-> https://github.com/keycloak/keycloak/discussions/17507 - Have a flag on LDAP provider like "Handling unavailable users" with the possible options of this flag like:
-> 1) Delete the user (current behaviour). When deleted, we can send an event for the same.
-> 2) Disable the user (One of the options mentioned in https://github.com/keycloak/keycloak/issues/29368). This will keep the link. Will require Keycloak administrator to manually enable the user when he is available again in LDAP.
-> 3) Unlink the user from federation provider
-> 4) Keep the user in Keycloak and also keep the link. The user won't be able to login into Keycloak (due to his password being in LDAP, but his LDAP account was removed).