Uploaded image for project: 'Red Hat build of Keycloak'
  1. Red Hat build of Keycloak
  2. RHBK-2033

LDAP groups not showing members in Groups when using memberOf attribute [GHI#33477]

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False
    • Moderate

      Before reporting an issue

      [X] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

      Area

      ldap

      Describe the bug

      When using the group-ldap-mapper to sync LDAP groups using the memberOf attribute into Keycloak, the groups section doesn't show any member within.

      Meanwhile the membership can only be seen on the user detail section, in the groups tab.

      LDAP configuration for the user
      ```
      objectclass: inetOrgPerson
      objectclass: organizationalPerson
      objectclass: person
      objectclass: top
      cn: Bruce
      sn: Wilson
      mail: bwilson@keycloak.org
      memberOf: cn=ldap-admin,ou=RealmRoles,dc=keycloak,dc=org
      street: Elm 5
      uid: bwilson
      ```

      LDAP configuration for the group
      ```
      objectclass: groupOfNames
      objectclass: top
      cn: ldap-admin
      ```

      Version

      25.0.6

      Regression

      [ ] The issue is a regression

      Expected behavior

      Group membership should be displayed correctly both via Users -> select user -> Groups and via Groups -> select group -> Members

      Actual behavior

      Group membership is only visible when going through the user details screen. Checking the members of a group doesn't work.

      How to Reproduce?

      1. Create a new group (e.g. "customers")
      2. Create a User Federation
      3. Create a group-ldap-mapper with the following settings:

      • Mode: LDAP_ONLY
      • User Groups Retrieve Strategy: GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE
      • Member-Of LDAP Attribute: memberOf
      • Groups Path: /customers
        4. Sync all users
        5. Check user membership (Users > {user}

        > Groups tab)

      • User has the group assigned correctly
        6. Check groups members (Groups > customers > {group}

        > Members tab)

      • No user is displayed in this section

      Anything else?

      As of now, I've discovered two workarounds for this issue (choose only one):

      1. Change the mode from LDAP_ONLY to IMPORT, this will display the users correctly in the Groups section.

      or

      2. Add the corresponding member entry in the LDAP group like the following:
      ```
      objectclass: groupOfNames
      objectclass: top
      cn: ldap-admin
      member: uid=bwilson,ou=People,dc=keycloak,dc=org
      ```
      However, the GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE strategy should only look in the group attribute within the user record.

              Unassigned Unassigned
              sguilhen Stefan Guilhen
              Keycloak Core IAM
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: