Periodic Changed Users Sync

Configuring the server
1

Hello,

Trying to use Periodic Changed Users Sync with filter. I enabled debug logging on org.keycloak.storage.ldap.idm.store.ldap.
From logging I can see filter and baseDn being used but no users are being picked up. However if I run the same search & filter using ApacheStudio, I see what is expected: 2 users returned by query

2021-10-06 19:48:35,119 TRACE [org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore] (Timer-2) Using filter for LDAP search: (&(objectClass=inetOrgPerson)(memberOf:1.2.840.113556.1.4.1941:=CN=Programs,OU=People,O=pgatour,DC=pga,DC=local)(|(whenCreated>=20211006194435.0Z)(whenChanged>=20211006194435.0Z))(objectclass=person)(objectclass=organizationalPerson)(objectclass=user)) . Searching in DN: OU=People,O=pgatour,DC=pga,DC=local
2021-10-06 19:48:35,119 DEBUG [org.keycloak.storage.ldap.idm.store.ldap.LDAPContextManager] (Timer-2) Creating LdapContext using properties: [{java.naming.security.authentication=simple, java.naming.ldap.attributes.binary=objectGUID, java.naming.provider.url=ldap://54.234.136.194:389, com.sun.jndi.ldap.connect.pool=true, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.credentials=**************************************, java.naming.security.principal=mwallach@pga.local}]
2021-10-06 19:48:35,123 TRACE [org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.perf] (Timer-2)
LdapOperation: searchPaginated
 baseDn: OU=People,O=pgatour,DC=pga,DC=local
 filter: (&(objectClass=inetOrgPerson)(memberOf:1.2.840.113556.1.4.1941:=CN=Programs,OU=People,O=pgatour,DC=pga,DC=local)(|(whenCreated>=20211006194435.0Z)(whenChanged>=20211006194435.0Z))(objectclass=person)(objectclass=organizationalPerson)(objectclass=user))
 searchScope: 2
 returningAttrs: [cn, whenCreated, sn, mail, whenChanged, givenName, pwdLastSet, userAccountControl]
 limit: 1000
 resultSize: 0

Any other suggestions on why this might not be working in keycloak sync?

2

Hello,

So I think I’ve figured some more out about how this works. The Sync Changed Users appends:
(|(whenCreated>=20211006194435.0Z)(whenChanged>=20211006194435.0Z))(objectclass=person)(objectclass=organizationalPerson)(objectclass=user))
to the filter. In my limited understanding of above and my testing it seems it only looks for users who have changed NOT new users that have been added to group. So, if I add user to the groups being captured by the filter, they do not get populated. However, it I change something about the user, they do appear, get synced as new users
Any suggestions on how to change filter such that nw members in group are synced?