Hello, I'm testing with the following setup: In our Active Directory, which is federated to Keycloak, we have a container with 'access' groups (groups that are used to give access to certain applications, akin to Keycloak roles) and a container for 'user' groups (eg. sales, it, marketing etc.). Users are always only direct members of a user group. The access groups can only have user groups as members, never users. In Keycloak, I have created two LDAP-group-mappers for both containers, but unfortunately, none of the user groups show any members. Is this expected? Using Keycloak 3.2.1 Final.

Hm, I wrote this down the wrong way, apologies. What I meant to say was that the /access/ groups don't have any members, which they should have from the user groups. Looks like my issue is https://issues.jboss.org/browse/KEYCLOAK-1797. Nested groups are quite common in Active Directory, it would be nice if this issue could receive some attention. On 28 September 2017 at 09:41, Marek Posolda <mposolda(a)redhat.com <mailto:mposolda@redhat.com>> wrote: Not expected. It should work and our tests are passing. Looks like some mis-configuration or something. We have an example in keycloak-examples distribution called "ldap" . Here you can see some example how can LDAP role be configured (no example for group-mapper yet, but it's quite similar to role mapper) Marek On 26/09/17 12:04, Tiemen Ruiten wrote: Hello, I'm testing with the following setup: In our Active Directory, which is federated to Keycloak, we have a container with 'access' groups (groups that are used to give access to certain applications, akin to Keycloak roles) and a container for 'user' groups (eg. sales, it, marketing etc.). Users are always only direct members of a user group. The access groups can only have user groups as members, never users. In Keycloak, I have created two LDAP-group-mappers for both containers, but unfortunately, none of the user groups show any members. Is this expected? Using Keycloak 3.2.1 Final. -- Tiemen Ruiten Systems Engineer R&D Media

Marek, thanks for your answer. I had already tried that and it didn't work. I set up an AD federation and a role mapper in a clean testing realm with the same results. If you are interested, I can share the realm configuration with you for reproducing. On 29 September 2017 at 15:06, Marek Posolda <mposolda(a)redhat.com <mailto:mposolda@redhat.com>> wrote: In configuration of your LDAP Group mapper, you can select "User Roles Retrieve Strategy" to be "LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY" . Then it should be possible to recursively retrieve the memberships, hence user will be treated as member of "access" group too. This is specific to Active Directory, but since you're using it, it should work fine. Marek On 28/09/17 10:28, Tiemen Ruiten wrote: > Hm, I wrote this down the wrong way, apologies. What I meant to > say was that the /access/ groups don't have any members, which > they should have from the user groups. Looks like my issue is > https://issues.jboss.org/browse/KEYCLOAK-1797 > <https://issues.jboss.org/browse/KEYCLOAK-1797>;. Nested groups > are quite common in Active Directory, it would be nice if this > issue could receive some attention. > > > On 28 September 2017 at 09:41, Marek Posolda <mposolda(a)redhat.com > <mailto:mposolda@redhat.com>> wrote: > > Not expected. It should work and our tests are passing. Looks > like some mis-configuration or something. We have an example > in keycloak-examples distribution called "ldap" . Here you > can see some example how can LDAP role be configured (no > example for group-mapper yet, but it's quite similar to role > mapper) > > Marek > > > On 26/09/17 12:04, Tiemen Ruiten wrote: > > Hello, > > I'm testing with the following setup: > > In our Active Directory, which is federated to Keycloak, > we have a > container with 'access' groups (groups that are used to > give access to > certain applications, akin to Keycloak roles) and a > container for 'user' > groups (eg. sales, it, marketing etc.). Users are always > only direct > members of a user group. The access groups can only have > user groups as > members, never users. > > In Keycloak, I have created two LDAP-group-mappers for > both containers, but > unfortunately, none of the user groups show any members. > Is this expected? > > Using Keycloak 3.2.1 Final. > > > > > > -- > Tiemen Ruiten > Systems Engineer > R&D Media -- Tiemen Ruiten Systems Engineer R&D Media

I finally got around to testing this with TRACE logging and found out that I was looking in the wrong place: the 'Groups' -> 'User Groups' section of the dashboard. Only direct members of the group would be shown there. The groups for the user are showing correctly in the 'Groups' tab of the particular user in the 'Users' setting in my test realm. On 29 September 2017 at 16:56, Marek Posolda <mposolda(a)redhat.com <mailto:mposolda@redhat.com>> wrote: Maybe if you can enable TRACE logging for the "org.keycloak.storage.ldap" it may help. It shows the configuration at startup, but also it shows the LDAP queries. Maybe this can show why the roles can't be retrieved. Marek On 29/09/17 16:35, Tiemen Ruiten wrote: > Marek, thanks for your answer. I had already tried that and it > didn't work. I set up an AD federation and a role mapper in a > clean testing realm with the same results. If you are interested, > I can share the realm configuration with you for reproducing. > > On 29 September 2017 at 15:06, Marek Posolda <mposolda(a)redhat.com > <mailto:mposolda@redhat.com>> wrote: > > In configuration of your LDAP Group mapper, you can select > "User Roles Retrieve Strategy" to be > "LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY" . Then it > should be possible to recursively retrieve the memberships, > hence user will be treated as member of "access" group too. > > This is specific to Active Directory, but since you're using > it, it should work fine. > > Marek > > On 28/09/17 10:28, Tiemen Ruiten wrote: >> Hm, I wrote this down the wrong way, apologies. What I meant >> to say was that the /access/ groups don't have any members, >> which they should have from the user groups. Looks like my >> issue is https://issues.jboss.org/browse/KEYCLOAK-1797 >> <https://issues.jboss.org/browse/KEYCLOAK-1797>;. Nested >> groups are quite common in Active Directory, it would be >> nice if this issue could receive some attention. >> >> >> On 28 September 2017 at 09:41, Marek Posolda >> <mposolda(a)redhat.com <mailto:mposolda@redhat.com>> wrote: >> >> Not expected. It should work and our tests are passing. >> Looks like some mis-configuration or something. We have >> an example in keycloak-examples distribution called >> "ldap" . Here you can see some example how can LDAP role >> be configured (no example for group-mapper yet, but it's >> quite similar to role mapper) >> >> Marek >> >> >> On 26/09/17 12:04, Tiemen Ruiten wrote: >> >> Hello, >> >> I'm testing with the following setup: >> >> In our Active Directory, which is federated to >> Keycloak, we have a >> container with 'access' groups (groups that are used >> to give access to >> certain applications, akin to Keycloak roles) and a >> container for 'user' >> groups (eg. sales, it, marketing etc.). Users are >> always only direct >> members of a user group. The access groups can only >> have user groups as >> members, never users. >> >> In Keycloak, I have created two LDAP-group-mappers >> for both containers, but >> unfortunately, none of the user groups show any >> members. Is this expected? >> >> Using Keycloak 3.2.1 Final. >> >> >> >> >> >> -- >> Tiemen Ruiten >> Systems Engineer >> R&D Media > > > > > > -- > Tiemen Ruiten > Systems Engineer > R&D Media -- Tiemen Ruiten Systems Engineer R&D Media