Keycloak cannot propagate user-group mappings from LDAP into user-group mappings

2
votes

I am trying to setup User Federation from a LDAP server to Keycloak. I managed to import all the users and groups respectively from LDAP server, however, the user-group (group tab in Users section) doesn’t show the actual mapped groups, although I can see those users presenting in the groups listed in Members tab in Groups section…

I went through all article in Keycloak forum/Jira ticket/Mail list and I did find a ticket describing the exact issue that I am experiencing now (https://lists.jboss.org/pipermail/keycloak-user/2018-February/013076.html) and Marek has also replied to that as well, however, I still couldn't figure out what configuration I set incorrectly just by the information provided in the post.

Could anyone please help me out? Thanks ahead!

User-Group

Group

User Configuration

Group Mapper Configuration

Thanks,

Chance

1
ldapkeycloak

1 Answers

0
votes

Looks like the issue was in LDAP server. The problem only exists when I import the users from FreeIPA DB. However, when I try to federate to an AD server, the user-group information just comes along with the users without any additional modification!

Below is the configuration I have used in the successful case. Hopefully it will help others who encounter with a similar issue. Thanks everyone for the attention.

[User Federation Provider Settings] Enabled: ON (Default) Console Display Name : Priority: 0 (Default) Import Users : ON (Default) Edit Mode : READ_ONLY Sync Registrations : OFF (Default) Vendor : Active Directory (This is important. Once I switch to AD, instead of FreeIPA, the issue is gone) Username LDAP attribute: sAMAccountName RDN LDAP attribute : cn UUID LDAP attribute : objectGUID User Object Classes : person, organizationalPerson, user (You should check what Object Class the server is currently configured and adjust accordingly) Connection URL : ldap://:389 (If you are using ldaps, the port is 636) Users DN : <the scope includes all your users you would like to import, e.g. OU=User,DC=example,DC=com) Bind Type: simple Enable StartTLS: OFF (Default) Bind DN: Bind Credential: Custom User LDAP Filter: <You can leave it blank if you don't want to filter. However, if you would like to filter something, for example, users from a specific group, you can run a filter such as (&(objectClass=user)(memberof:1.2.840.113556.1.4.1941:=CN=,OU=,DC=example,DC=com)) > Search Scope: Subtree (It the users after under one level of Users DN, you can choose "One level" option) Validate Password Policy: OFF (Default) Trust Email: OFF (Default) Use Truststore SPI: Only for ldaps Connection Pooling: On

The rest of setting leave it blank.

You need to configure a group-ldap-mapper as well [Group Mapper] Name: Mapper Type: group-ldap-mapper LDAP Groups DN : <Where are the groups of this tree saved. For example, OU=Group,DC=example,DC=com> Group Name LDAP Attribute : cn Group Object Classes : group Preserve Group Inheritance: ON Ignore Missing Groups: OFF (Default) Membership LDAP Attribute : member Membership Attribute Type: DN Membership User LDAP Attribute: sAMAccountName LDAP Filter : <You can leave it blank if you don't want to filter any group> Mode: READ_ONLY User Groups Retrieve Strategy: LOAD_GROUPS_BY_MEMBER_ATTRIBUTE Member-Of LDAP Attribute: memberOf Mapped Group Attributes: Drop non-existing groups during sync: ON