[keycloak-dev] AD Role Mapping

Marek Posolda mposolda at redhat.com
Wed Sep 2 01:22:12 EDT 2015


I agree that supporting this will be good. Could you please create JIRA 
for it? I likely won't be able to look at it before 1.5 release, but 
hopefully it should be possible for 1.6 release (which is around end of 
September or begin of October or so).

Question: are your Group1 and Group1.1 in same branch of LDAP tree (in 
other words, you are using same Role mapper for both)?

I am actually thinking about 2 possible approaches for implement it. 
Both have some pros and cons:
1) Recursively search LDAP during each search of user memberships
2) Use Keycloak composite roles

In both cases, it will be some option on RoleMapper, so it's possible to 
enable/disable this behaviour on demand.

Thanks,
Marek

On 01/09/15 11:31, Andrzej Goławski wrote:
> Hi,
>
> I'm trying to deploy keycloak in my company as primary SSO solution 
> with AD underneath.
>
> In our company AD groups contain other groups as members.
>
> e.g.:
> Let assume that we have Group1, Group1.1. and TestUser.
>
> Group1 has Group1.1 as a member and Group 1.1 contains user TestUser.
> In that configuration after importing AD users to Keycloak, TestUser 
> should have two roles: Group1 has Group1.1. But unfortunately it has 
> only Group1.1.
>
> I'm not an AD expert but I hope I've managed to explain the problem 
> well enough.
>
> This is very important feature for my company and I wonder to know if 
> you are to solve this problem in the nearest feature?
>
> Best Regards,
>  Andrzej
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20150902/9897d1ba/attachment.html 


More information about the keycloak-dev mailing list