0

We have setup Keycloak for our product solution in order to use it as the identity provider. We are going to import users from LDAP into the Keycloak database (Keycloak MySql production database). We also need to sync all the users from the Keycloak database (both local and LDAP) into an external database (MySql again) that is the database our product uses. We have a table in there to reflect the product users (systemusers).

Could you please help us understand what is the best way for syncing those users from Keycloak to our product database. I have read that there exist SCIM plugins that can do this, but we wont rely on that, we will implement something on our own. Therefore should we:

  • extend the User Storage SPI (for writing to our external product database whenever a Keycloak user -LDAP or local- is updated) or
  • extend a custom Event Listener SPI (for writing to our external product database whenever a Keycloak user -LDAP or local - is updated)

In the first case, we will implement the UserStorageProvider, UserLookupProvider and override the GetUserByUsername method so that if the current's session user in keycloak does not exists in the external database, we create it.

In the last case, we will implement the EventListenerProvider and override the OnEvent method to trigger sync CRUD operations to our product database whenever events such as UPDATE_PROFILE happen.

The question I have is whether events will be triggered when Keycloak imports a user from LDAP too, or only when the user is updated through the admin console? Could you please tell me if there is way to detect these LDAP updates? With local users updated through admin, events such as UPDATE_PROFILE are triggered but with LDAP, I am not sure if events are created that will help us to trigger the CRUD operations in our product database.

Or if the EventListenerProvider extension is not the correct way forward, then is the User Storage SPI Provider the correct way to implement this synchronisation between the 3 data stores?

Any help will be appreciated! Many thanks!

Improve this question
2
  • It seems that this was the solution to my issue medium.com/@ivancheahkf/… if anyone has faced anything similar this might be helpful Commented May 23 at 11:59
  • i did somthing like that before if you want to review the solution: synchronizing user data from a MySQL database to an LDAP directory, github.com/Imen-Frigui/LDAP-SyncHub Commented Jul 27 at 15:07

1 Answer 1

Reset to default
0

I don't think that trying to sync three data bases is a good solution to try and achieve. You would have a lot more success keeping local keycloak users local and importing ldap users as they log in and just sync a keycloak imported ldap user up every login.

If you want to view more in depth keycloak updates, you can set the

KC_LOG_LEVEL_ORG_KEYCLOAK

env variable to trace or debug and be able to intercept the event updates you are looking for

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.