Filtering users in LDAP registration

[Leandro Ramalho]

Hi all,

We want to be able to create some users in Keycloak's local database instead of LDAP (the default provider for registrations in the realm).

Workaround

We could turn off "Sync Registrations", create the user and then turn it back on, but this causes the risk of another administrator creating the user in the wrong provider while another admin is doing this procedure.

Proposal

I thought of a simple solution: create a setting in LDAPStorageProvider (Filter Registrations) that, if enabled, would try to match the username against a regex filter (a setting that shows up when Filter Registrations is enabled). LDAPStorageProvider.addUser would return null, the behavior when Sync Registrations is off, if the username doesn't match the filter, allowing lower priority providers to register the user, eventually falling back to local database. 

What do you think of this approach? I think it is simple yet powerful, allowing registration of users in different LDAPStorageProviders depending on the username, and does not add too much complexity. If the feature is not needed, just turn off Filter Registrations (which would default to off) and the current behavior is preserved.

Thanks,

Leandro

[Leandro Ramalho]

Hi! Opened a draft PR on this: https://github.com/keycloak/keycloak/pull/8245