Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-12579

LDAP groups duplicated during UI listing of user groups

    Details

    • Steps to Reproduce:
      Hide

      1. Start fresh Keycloak 8
      2. Via User Federation connect Keycloak to an Active Directory system. Ensure that you have the "groups mapper" enabled under Mappers (tried both LOAD_GROUPS_BY_MEMBER_ATTRIBUTE and GET_GROUPS_FROM_MEMBEROF_ATTRIBUTE with same results).
      3. Do NOT perform any explicit synchronization of data between Active Directory and Keycloak.
      4. In the Active Directory have 2 users: "ad" which is a member of "XYZ Users", and "ad2" which is a member of "XYZ Admins". Probably ok to only have 1 account but I had 2.
      5. Click the Groups menu item in Keycloak, you will only see Keycloak groups and not any of the XYZ groups.
      6. Perform an authentication with the user "ad". The Groups menu now shows 1 entry of the "XYZ Users" group.
      7. Go to "Users" -> search for "ad*" -> select the "ad2" user, click the Groups tab. You will see that the user is a member of "/XYZ Admins".
      8. Go back to Groups in the left side menu. You now see 3 "XYZ Admins" entries in the list of groups.

      Show
      1. Start fresh Keycloak 8 2. Via User Federation connect Keycloak to an Active Directory system. Ensure that you have the "groups mapper" enabled under Mappers (tried both LOAD_GROUPS_BY_MEMBER_ATTRIBUTE and GET_GROUPS_FROM_MEMBEROF_ATTRIBUTE with same results). 3. Do NOT perform any explicit synchronization of data between Active Directory and Keycloak. 4. In the Active Directory have 2 users: "ad" which is a member of "XYZ Users", and "ad2" which is a member of "XYZ Admins". Probably ok to only have 1 account but I had 2. 5. Click the Groups menu item in Keycloak, you will only see Keycloak groups and not any of the XYZ groups. 6. Perform an authentication with the user "ad". The Groups menu now shows 1 entry of the "XYZ Users" group. 7. Go to "Users" -> search for "ad*" -> select the "ad2" user, click the Groups tab. You will see that the user is a member of "/XYZ Admins". 8. Go back to Groups in the left side menu. You now see 3 "XYZ Admins" entries in the list of groups.
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      This issue is possibly a duplicate of KEYCLOAK-9812 and/or KEYCLOAK-10426 but specifically about Keycloak 8 and with a somewhat different means of reproducing the issue.

      Issue

      When LDAP federation is enabled and group synchronization has NOT been performed Keycloak creates groups on-the-fly based on user group memberships as part of logins or seemingly also when the memberships of a user is listed in the UI through Users -> search for AD/LDAP user -> select user -> Groups.

      The groups that are created in this ad-hoc fashion cause duplicate entries to be created. You can easily end up with 2-3 groups with the same name but different UUID inside Keycloak.

      Workaround

      If an explicit synchronization of LDAP groups into Keycloak is done first no additional groups seem to be created so in that case it is possible for the ad-hoc group creation to correlate a group name to an existing group and use that rather than create a new group with the same name.

      Expected behavior

      If Keycloak has a need to create groups in an ad-hoc fashion (for role mapping purposes or otherwise) that creation of groups should be able to correlate to existing groups in the same way that the correlation seems to happen when AD/LDAP groups have been explicitly synced into Keycloak.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  pcraveiro Pedro Igor Silva
                  Reporter:
                  bergner Marcus Bergner
                • Votes:
                  1 Vote for this issue
                  Watchers:
                  5 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: