[keycloak-user] Retrieve Roles-Groups association from LDAP

Marek Posolda mposolda at redhat.com
Wed May 25 10:47:38 EDT 2016 

Hello,

It's possible to sync roles to/from LDAP with usage of role mapper and 
groups with usage of group mapper. However ATM it's not possible to map 
the group-role membership from LDAP into Keycloak.

For example if you have role mapper configured for roles from 
"ou=roles,dc=example,dc=com" and you have groups mapper for groups from 
"ou=groups,dc=example,dc=com" . Then you have LDAP group 
"cn=group1,ou=groups,dc=example,dc=com" which has member 
"cn=role1,ou=roles,dc=example,dc=com" . Then in keycloak you won't see 
that group "group1" has role "role1" as it's member.

If you have MSAD, you can use "User Roles Retrieve Strategy" value 
"LOAD_ROLES_BY_MEMBER_ATTRIBUTE_RECURSIVELY" and then the role of user 
will be visible in Keycloak even if it's available just recursively. For 
example "cn=role1,ou=roles,dc=example,dc=com" has member 
"cn=group1,ou=groups,dc=example,dc=com" and the 
"cn=group1,ou=groups,dc=example,dc=com" has member 
"cn=myuser,ou=users,dc=example,dc=com" . then in keycloak you will see 
that user "myuser" is member of "role1".

It will be good to support groups-roles relationship though, feel free 
to create JIRA for that and add your usecase (ideally with some example 
snippet of your LDAP tree and how exactly you want membership 
relationship to be visible in Keycloak based on mappings from your LDAP)

Thanks,
Marek


On 24/05/16 13:07, Harits Elfahmi wrote:
> Hello guys,
>
> We're trying to sync roles and groups from LDAP to Keycloak and vice 
> versa.
> If we attach some keycloak roles to a group, can this association be 
> synced back to LDAP? How should I config my User Federation Mapper for 
> Group mapper?
>
> From what I understand we can set the Membership LDAP Attribute, but I 
> think this is to associate between groups and users, not groups and 
> roles. Is it possible to do this, or is the group-roles association 
> can only be configured from keycloak?
>
> Thanks
> -- 
> Cheers,
> *
> *
> *Harits* Elfahmi
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160525/970b5b21/attachment.html

More information about the keycloak-user mailing list