[keycloak-user] Unable to Store and Retrieve Group-Role relationship in LDAP

Marek Posolda mposolda at redhat.com
Mon Mar 13 05:45:38 EDT 2017 

On 10/03/17 12:15, abhishek raghav wrote:
> Thanks Marek.
>
> Is it possible by writing a *custom ldap mapper* and deploy in 
> Keycloak for this scenario.
> We am using *MSAD *as our LDAP provider.
The usecase you pointed, won't be easily solvable with LDAP mapper SPI. 
We don't have federation for groups or roles. So once you assign new 
role to some group in KC admin console, there is currently not a way to 
propagate this info and being visible by LDAP mappers.

What would work is the opposite though. If you assign some LDAP group 
"foo-group" as "member" of LDAP role "bar-role", then you won't see 
membership between this group and role in KC admin console. However your 
users in Keycloak, which are members of "foo-group" will be 
automatically treated as members of "bar-role" in Keycloak as well. Note 
that you may need to switch "User Roles Retrieve Strategy" to 
"LOAD_ROLES_BY_MEMBER_ATTRIBUTE_RECURSIVELY" for your role mapper here.

Marek
>
> If yes, do you have any example implementation for the same.
> I also found that there is some SPI for User Federation Mapper SPI.
> https://keycloak.gitbooks.io/server-developer-guide/content/v/2.2/topics/user-federation-mapper.html
>
>
>
>
>
> *- Best Regards*
>    Abhishek Raghav
>
>
>
>
>
>
>
> On Fri, Mar 10, 2017 at 4:32 PM, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     Yes, you're right. This is not available ATM. What is available is
>     the support for Keycloak group inheritance to be mapped for LDAP
>     groups. But mapping for:
>     - Groups-roles membership mappings
>     - Roles to composite roles membership mappings
>     is not available now.
>
>     Feel free to create JIRA. But not sure if we ever go into it...
>
>     Marek
>
>
>     On 10/03/17 11:31, abhishek raghav wrote:
>
>         Hi
>
>         I have a set of* Realm Roles* that is mapped to an certain
>         *OU=Roles* in an
>         *MSAD*. Similar is the case for a set of *Groups*.
>
>         But when I *assign a group with a certain role, the assignment
>         is visible
>         in Keycloak. But the same is not reflected on the AD.*
>         I mean, this mapping of role and group is *not stored in the
>         "member" or
>         "memberof" attributes of either the respective group or the role*.
>
>         Please suggest is this functionality available using any
>         mapper from
>         Keycloak to AD? Or do we need to create our own Custom Mapper?
>         If yes, how?
>
>
>         *- Best Regards*
>             Abhishek Raghav
>         _______________________________________________
>         keycloak-user mailing list
>         keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>         <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>
>
>

More information about the keycloak-user mailing list