LDAP Users and groups not removed from Authentik when removed from LDAP

[minijaws]

Describe the bug
Users and groups continue to exist after deleting them from LDAP

To Reproduce
Steps to reproduce the behavior:

1. Create User in LDAP
2. Sync LDAP source
3. Delete User in LDAP
4. Sync LDAP source again

Expected behavior
User and or Group should be removed from Authentik when the LDAP provider no longer returns them from the query

Version and Deployment (please complete the following information):

• authentik version: 2021.9.8
• Deployment: docker-compose

Additional context
Initially discovered when altering LDAP user filter to remove some unneeded accounts

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[Zegorax]

Any update about this ?

[KamistixX]

Is this by design? Is the LDAP synchronization only a one-time import process?

[xpufx]

Is this by design? Is the LDAP synchronization only a one-time import process?

LDAP keeps syncing so new users and changes are reflected. It is not a one-time process. The issue is about removing users.

[septatrix]

To solve this Authentik would have to store the source where a user came from in the attributes. After each sync Authentik would then have to check every user with that attribute whether it is still included in the new set of users synced from LDAP. With Postgres jsonb which is used for attributes this should not be too big of a performance impact. Otherwise this might require a separate table.

There is also the question what to do when a user which was manually created is then also existing in an LDAP sync? Should that be persisted once it is no longer part of the LDAP sync or should it then be removed?

Regardless, this is an important issue and one we are currently debating how we feel about it before we roll out Authentik to production. In our case all users come from LDAP so a simplified version or in the worst case some hacky cron job might do the trick for us.

[diogosalazar]

I personally have a simple script that runs periodically and checks the list of users in a given LDAP provider (by slug) against the users in a Authentik user path. Authentik users not found in the LDAP server are disabled.

My use case and setup are very basic, where LDAP is the source of true. Only one LDAP server and a fixed user path for them in Authentik.

Would love to retire my script and have an option in Authentik to 'disable' (or delete) users from that LDAP server when they no longer exists at the source

[janwels89]

would you mind to share how you realized the script to point my into the right direction to apply this workaround myself.
Is it running in authentik or a cronjob?

[spanguel]

Im also very much in need of that feature. if someone has a working script to do that via cron or anything else in the meantime i would be very grateful.

after spending some time with the ldap sync and then realizing that i can't implement it because of that missing feature is a bummer.

as of right now i can limit everything to groups and once a user is deleted in the ldap backend, the user is getting removed from all groups, but is left in authentik. so access is now denied but i have no way of finding and deleting all these orphans now...