Re: [keycloak-user] Unable to Store and Retrieve Group-Role relationship in LDAP

Thanks Marek. Is it possible by writing a *custom ldap mapper* and deploy in Keycloak for this scenario. We am using *MSAD *as our LDAP provider.

If yes, do you have any example implementation for the same. I also found that there is some SPI for User Federation Mapper SPI. https://keycloak.gitbooks.io/server-developer-guide/content/v/2.2/topics/... *- Best Regards* Abhishek Raghav On Fri, Mar 10, 2017 at 4:32 PM, Marek Posolda <mposolda(a)redhat.com <mailto:mposolda@redhat.com>> wrote: Yes, you're right. This is not available ATM. What is available is the support for Keycloak group inheritance to be mapped for LDAP groups. But mapping for: - Groups-roles membership mappings - Roles to composite roles membership mappings is not available now. Feel free to create JIRA. But not sure if we ever go into it... Marek On 10/03/17 11:31, abhishek raghav wrote: Hi I have a set of* Realm Roles* that is mapped to an certain *OU=Roles* in an *MSAD*. Similar is the case for a set of *Groups*. But when I *assign a group with a certain role, the assignment is visible in Keycloak. But the same is not reflected on the AD.* I mean, this mapping of role and group is *not stored in the "member" or "memberof" attributes of either the respective group or the role*. Please suggest is this functionality available using any mapper from Keycloak to AD? Or do we need to create our own Custom Mapper? If yes, how? *- Best Regards* Abhishek Raghav _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>