Hello,
while configuring a instance of OpenLDAP as source for user federation, I came across the following behavior:
Inherited role memberships (“Role-Mappings” from groups or “Associated Roles” from other roles) are not represented in LDAP.
Manually adding a user to a role within Keycloak, adds the user as a member of the respective role in LDAP.
Only the automatic inheritance does not work. The user is then not listed in the “member” attribute of the respective role (groupOfNames Object in LDAP).
Expected behavior:
Keycloak
Group foo
Associated Roles: Role bar
Member: User A
LDAP
groupOfNames foo
member: User A
groupOfNames bar
member: User A <----- This membership is missing.
For the LDAP Group Mapper there is the option of “Preserve Group Inheritance”, which is not present with the role mapper.
As we want to connect third party applications to the same LDAP server and access the same group and role structure managed through Keycloak, this presents a problem.
Current workaround ideas are:
- Use an inherited group instead of an inherited role
- Manually assign the role to users (bad scaling)
I would appreciate any input of people experiencing the same issue or general ideas on how to solve this.
Thanks!