-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
22.0.14, 24.0.9
-
False
-
-
False
-
-
-
Moderate
Before reporting an issue
[X] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
ldap
Describe the bug
When using the group-ldap-mapper to sync LDAP groups using the memberOf attribute into Keycloak, the groups section doesn't show any member within.
Meanwhile the membership can only be seen on the user detail section, in the groups tab.
LDAP configuration for the user
```
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: person
objectclass: top
cn: Bruce
sn: Wilson
mail: bwilson@keycloak.org
memberOf: cn=ldap-admin,ou=RealmRoles,dc=keycloak,dc=org
street: Elm 5
uid: bwilson
```
LDAP configuration for the group
```
objectclass: groupOfNames
objectclass: top
cn: ldap-admin
```
Version
25.0.6
Regression
[ ] The issue is a regression
Expected behavior
Group membership should be displayed correctly both via Users -> select user -> Groups and via Groups -> select group -> Members
Actual behavior
Group membership is only visible when going through the user details screen. Checking the members of a group doesn't work.
How to Reproduce?
1. Create a new group (e.g. "customers")
2. Create a User Federation
3. Create a group-ldap-mapper with the following settings:
- Mode: LDAP_ONLY
- User Groups Retrieve Strategy: GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE
- Member-Of LDAP Attribute: memberOf
- Groups Path: /customers
4. Sync all users
5. Check user membership (Users > {user}> Groups tab)
- User has the group assigned correctly
6. Check groups members (Groups > customers > {group}> Members tab)
- No user is displayed in this section
Anything else?
As of now, I've discovered two workarounds for this issue (choose only one):
1. Change the mode from LDAP_ONLY to IMPORT, this will display the users correctly in the Groups section.
or
2. Add the corresponding member entry in the LDAP group like the following:
```
objectclass: groupOfNames
objectclass: top
cn: ldap-admin
member: uid=bwilson,ou=People,dc=keycloak,dc=org
```
However, the GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE strategy should only look in the group attribute within the user record.
- links to