[keycloak-user] can't resolve groups from multiple group mappers

Marek Posolda mposolda at redhat.com
Fri Sep 29 10:56:51 EDT 2017


Maybe if you can enable TRACE logging for the 
"org.keycloak.storage.ldap" it may help. It shows the configuration at 
startup, but also it shows the LDAP queries. Maybe this can show why the 
roles can't be retrieved.

Marek


On 29/09/17 16:35, Tiemen Ruiten wrote:
> Marek, thanks for your answer. I had already tried that and it didn't 
> work. I set up an AD federation and a role mapper in a clean testing 
> realm with the same results. If you are interested, I can share the 
> realm configuration with you for reproducing.
>
> On 29 September 2017 at 15:06, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     In configuration of your LDAP Group mapper, you can select "User
>     Roles Retrieve Strategy" to be
>     "LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY" . Then it should be
>     possible to recursively retrieve the memberships, hence user will
>     be treated as member of "access" group too.
>
>     This is specific to Active Directory, but since you're using it,
>     it should work fine.
>
>     Marek
>
>     On 28/09/17 10:28, Tiemen Ruiten wrote:
>>     Hm, I wrote this down the wrong way, apologies. What I meant to
>>     say was that the /access/ groups don't have any members, which
>>     they should have from the user groups. Looks like my issue is
>>     https://issues.jboss.org/browse/KEYCLOAK-1797
>>     <https://issues.jboss.org/browse/KEYCLOAK-1797>. Nested groups
>>     are quite common in Active Directory, it would be nice if this
>>     issue could receive some attention.
>>
>>
>>     On 28 September 2017 at 09:41, Marek Posolda <mposolda at redhat.com
>>     <mailto:mposolda at redhat.com>> wrote:
>>
>>         Not expected. It should work and our tests are passing. Looks
>>         like some mis-configuration or something. We have an example
>>         in keycloak-examples distribution called "ldap" . Here you
>>         can see some example how can LDAP role be configured (no
>>         example for group-mapper yet, but it's quite similar to role
>>         mapper)
>>
>>         Marek
>>
>>
>>         On 26/09/17 12:04, Tiemen Ruiten wrote:
>>
>>             Hello,
>>
>>             I'm testing with the following setup:
>>
>>             In our Active Directory, which is federated to Keycloak,
>>             we have a
>>             container with 'access' groups (groups that are used to
>>             give access to
>>             certain applications, akin to Keycloak roles) and a
>>             container for 'user'
>>             groups (eg. sales, it, marketing etc.). Users are always
>>             only direct
>>             members of a user group. The access groups can only have
>>             user groups as
>>             members, never users.
>>
>>             In Keycloak, I have created two LDAP-group-mappers for
>>             both containers, but
>>             unfortunately, none of the user groups show any members.
>>             Is this expected?
>>
>>             Using Keycloak 3.2.1 Final.
>>
>>
>>
>>
>>
>>     -- 
>>     Tiemen Ruiten
>>     Systems Engineer
>>     R&D Media
>
>
>
>
>
> -- 
> Tiemen Ruiten
> Systems Engineer
> R&D Media




More information about the keycloak-user mailing list