Before reporting an issue

[X] I have searched existing issues
[X] I have reproduced the issue with the latest release

Area

ldap

Describe the bug

Hi everyone!

I have a KC 15.0.2 setup with the following configuration:
Single LDAP Mapper in WRITABLE mode targeted to ActiveDirectory Domain with multiple OU's where KC-managed groups are contained.
Several (e.g. 4) ldap-group-mapper's with LDAP_ONLY mode configured to different Groups Path's finally resolving groups in two-level hierarchy:
/ (ldap-group-mapper-0 with LDAP Groups DN 0)
/Groups-Path1/ (ldap-group-mapper-1 with LDAP Groups DN 1)
/Groups-Path2/ (ldap-group-mapper-2 with LDAP Groups DN 2)
/Groups-Path3/ (ldap-group-mapper-3 with LDAP Groups DN 3)
On sync'ing the groups from LDAP everything works fine, the groups from subsequent LDAP Groups DN's are successfully imported into configured group paths, but when adding the user in KC GUI to some of the imported groups fails on ActiveDirectory side with error UpdErr: DSID-031A11DA, problem 6005 (ENTRY_EXISTS), data 0 meaning that KC is trying to create or update a group with existing name (cn) in an incorrect OU of the domain and ActiveDirectory does not allow that since group names must be unique throughout the domain. In other words, despite the specifically attributed Group Path the KC is selecting wrong group mapper for updating the group attributes/membership and ActiveDirectory is refusing the update to the group structure as soon as DN is wrong.
This error appears with every group mapper groups except this, related to the "automatically" selected wrong mapper. For the wrong mapper, group attributes/membership management proceeds without any problems.
Another symptom is that with the mentioned setup the current user groups in KC user groups GUI section are shown only for that mapper, while users are shown correctly if listed through KC group members GUI section (therefore the same listings vary in two sections of the GUI).
Please help to resolve this problem or route me to solution if already resolved.

_Originally posted by @dimitry-a-baranov in https://github.com/keycloak/keycloak/issues/6970#issuecomment-1464884028_

Version

15.0.2 through 21.0.1

Expected behavior

1) Adding user someUserName to group with group path /Groups-Path1/somegroupname1 results in successful sync of this change to ActiveDirectory Domain.
2) Adding user someUserName to group with group path /Groups-Path2/somegroupname2 results in successful sync of this change to ActiveDirectory Domain.
3) Adding user someUserName to group with group path /Groups-Path3/somegroupname3 results in successful sync of this change to ActiveDirectory Domain.

Actual behavior

1) Adding user someUserName to group with group path /Groups-Path1/somegroupname1 results in failed sync of this change to ActiveDirectory Domain:
UpdErr: DSID-031A11DA, problem 6005 (ENTRY_EXISTS) with stack trace showing that KC is incorrectly trying to create or update somegroupname1 in wrong OU, configured as Groups DN for LDAP Group Mapper from 2) with /Groups-Path2/.
2) Adding user someUserName to group with group path /Groups-Path2/somegroupname2 results in successful sync of this change to ActiveDirectory Domain since Groups DN is correct.
3) Adding user someUserName to group with group path /Groups-Path3/somegroupname3 results in successful sync of this change to ActiveDirectory Domain:
UpdErr: DSID-031A11DA, problem 6005 (ENTRY_EXISTS) with stack trace showing that KC is incorrectly trying to create or update somegroupname1 in wrong OU, configured as Groups DN for LDAP Group Mapper from 2) with /Groups-Path2/.

How to Reproduce?

0. Within some test ActiveDirectory Domain create 3 or more OUs under Groups, like TestOU1, TestOU2 and TestOU3, and create within each of them subsequently a local group (testgroup1, testgroup2 and testgroup3), then create a user testuser1.
1. Create a new realm TESTREALM in KC.
2. Create a new "TEST_AD_LDAP" LDAP Provider in User Federation, select Active Directory as Vendor, configure the required values and bind credentials, set Edit Mode to WRITABLE, and configure Search Scope to Subtree.
3. Configure Group Mappers with ldap-group-mapper type to create group hierarchy:
3.1. Configure root-level group mapper ldap-group-mapper-0:
3.1.1. set LDAP Groups DN to OU=Groups,DC=...,etc
3.1.2. set mappedAttributes to "samaccountname,grouptype"
3.1.3. set Mode to LDAP_ONLY
3.1.4. set User Groups Retrieve Strategy to LOAD_GROUPS_BY_MEMBER_ATTRIBUTE
3.2. Create dummy groups for Group Paths:
3.2.1. Use New button to create new group items Groups-Path1, Groups-Path2, Groups-Path3, then set following attributes to each group: samaccountname="Groups-Path1" (2, or 3 subsequently), grouptype="-2147483644", save the attribute values
3.2.2. Within ldap-group-mapper-0 mapper configuration page use Sync Keycloak Groups to LDAP button to create the groups in AD LDAP
3.3. Create and configure lower-level group mappers ldap-group-mapper-1, ldap-group-mapper-2 and ldap-group-mapper-3 with LDAP Groups DN pointing to varying specific different OUs in AD LDAP and subsequent Groups Paths "/Groups-Path1/", "/Groups-Path2/", "/Groups-Path3/", Mode set to LDAP_ONLY, User Groups Retrieve Strategy set to LOAD_GROUPS_BY_MEMBER_ATTRIBUTE, mapped Group Attributes set to "samaccountname,grouptype" and Preserve Group Inheritance set to Off, then save the mapper configuration and use Sync LDAP Groups to Keycloak in each to import the LDAP groups to Keycloak under certain paths.
4. Use Synchronise all users function in TEST_AD_LDAP Provider configuration page to import users from LDAP into Keycloak
5. Select any available user from the list of imported users (e.g. testuser1) and on the Groups tab select any group under /Groups-Path1/ (e.g. /Groups-Path1/testgroup1), then use Join button - Keycloak will throw an Unexpected Error with Log [LDAP: error code 68 - 00000563: UpdErr: DSID-031A11DA, problem 6005 (ENTRY_EXISTS) , data 0]; and remaining name referencing 'cn=testgroup1,OU=' and OU, configured as LDAP Groups DN within ldap-group-mapper-2.
6. Select the same user from the list of imported users (e.g. testuser1) and on the Groups tab select any group under /Groups-Path2/ (e.g. /Groups-Path2/testgroup2), then use Join button - Keycloak will show "successfully joined".
7. Select any available user from the list of imported users (e.g. testuser1) and on the Groups tab select any group under /Groups-Path3/ (e.g. /Groups-Path3/testgroup3), then use Join button - Keycloak will throw an Unexpected Error with Log [LDAP: error code 68 - 00000563: UpdErr: DSID-031A11DA, problem 6005 (ENTRY_EXISTS) , data 0]; and remaining name referencing 'cn=testgroup3,OU=' and OU, configured as LDAP Groups DN within ldap-group-mapper-2.
8. Actual order of unsuccessful mappers may vary and I did not find the way KC sorts those mappers, but it would only allow one configured group path (mapper) to be used successfully and the use of any other would lead to the same error.

Anything else?

In addition to the add/update groups problem I can see that the groups are shown on the corresponding tab of the User UI page within Admin Console for the only group mapper, which is also successfully sync'ed (ldap-group-mapper-2 in the reproduce guide above). Meanwhile on the Group UI page within Admin Console (e.g. testgroup1, testgroup3 in the example above) the same user is shown among Group Members correctly.