[keycloak-user] ldap synch filtered by group membership

Marek Posolda mposolda at redhat.com
Wed Sep 9 04:13:04 EDT 2015

You mean that only users from the group 
"CN=Group,OU=Users,DC=company,DC=de" should be recognized by keycloak 
and all other users from your LDAP, which are not members of that group, 
should be ignored?

That should be doable by writing your own LDAPFederationMapper and 
implement "beforeQuery" so that you add the condition for 
"member=CN=Group,OU=Users,DC=company,DC=de" to the query. So you will 
need to write your own code for it.

I am not sure if we should provide the functionality like this by 
default in Keycloak, as your usecase seems to be quite uncommon to me. 
Maybe I am wrong, but didn't here about similar usecase so far.


On 08/09/15 15:27, Kevin Hirschmann wrote:
> Hello,
> I want to synch  from an active directory. But the selection should
> be limited to users which are members in a specific group.
> CN=Group, OU=Users,DC=company,DC=de gives no result.
> Is this possible? If so, which keycloak version supports this?
> Thx for your help.
> Kind regards
> Kevin Hirschmann
> HUEBINET Informationsmanagement GmbH & Co. KG
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> Der Nachrichtenaustausch mit HUEBINET Informationsmanagement GmbH & 
> Co. KG, Koblenz via E-Mail dient lediglich zu Informationszwecken. 
> Rechtsgeschäftliche Erklärungen mit verbindlichem Inhalt können über 
> dieses Medium nicht ausgetauscht werden, da die Manipulation von 
> E-Mails durch Dritte nicht ausgeschlossen werden kann.
> Email communication with HUEBINET Informationsmanagement GmbH & Co. KG 
> is only intended to provide information of a general kind, and shall 
> not be used for any statement with binding contents in respect to 
> legal relations. It is not totally possible to prevent a third party 
> from manipulating emails and email contents.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150909/0584229a/attachment.html 

More information about the keycloak-user mailing list