I have a Keycloak with an openLDAP User Federation. In the LDAP, I have a user 'someUser' that belongs to multiple groups, namely:
dn: cn=developers,ou=groups,dc=example,dc=com
changetype: add
objectclass: groupOfNames
member: cn=architects,ou=groups,dc=example,dc=com
dn: cn=architects,ou=groups,dc=example,dc=com
changetype: add
objectclass: groupOfNames
member: uid=someUser,ou=People,dc=example,dc=com
On my Keycloak, for the LDAP I have created an LDAP Mapper for the roles, like the following
- Mapper Type : role-ldap-mapper
- LDAP Roles DN : ou=groups,dc=example,dc=com
- Role Name LDAP Attribute : cn
- Role Object Classes: groupOfNames
- Membership LDAP Attribute: member Membership
- Attribute Type : DN Membership
- User LDAP Attribute : uid
- LDAP Filter:
- MODE : READ_ONLY
- User Roles Retrieve Strategy: LOAD_ROLES_BY_MEMBER_ATTRIBUTE
- Member-Of LDAP Attribute : memberOf
- Use Realm Roles Mapping : ON
The problem is that when I try to get a token on behalf of the user 'someUser' only the role 'architects' appears on the token. Based on the LDAP nesting grouping, I expected that both 'architects' and 'developer' roles would have appear on the token.
Based on other answers on similar topics I try to add to the LDAP filter the following:
memberOf:1.2.840.113556.1.4.1941
But this seams to only work with Microsoft Active Directory.
My question is, what do I have to do in order to have both roles 'architects' and 'developer' in token? ( besides having to hardcoding them).