[keycloak-user] role-ldap-mapper oddities
Ryan Slominski
ryans at jlab.org
Wed Apr 3 07:58:42 EDT 2019
Anyone notice the following oddities with the role-ldap-mapper (Keycloak 5.0.0):
1. It has fewer options than group-ldap-mapper despite doing essentially same thing.
* "Drop non-existing groups during sync" is missing (label would be "Drop non-existing roles during sync")
* "Ignore Missing Groups" is missing (label would be "Ignore Missing Roles")
* Preserve Group Inheritance is missing (label would be "Preserve Role Inheritance")
* Mapped Group Attributes is missing? Maybe Roles don't have attributes? This one may not matter
2. Looking up members of a role shows empty set, but looking up the roles of a specific user works (bug?)
* Using web admin console "Role" page select a role and see it has empty membership
* Using web admin console "User" page select a user and see it has multiple roles including one that was "empty" from the "Role" page
More information about the keycloak-user
mailing list