Sync about 1000 users from AD with nested groups

sreehari_tummala · March 29, 2026, 3:23am

Hi All,

Keycloak will not show AD nested groups as “child groups” under the parent in the Groups page. AD represents nesting by putting a group’s DN inside another group’s member attribute; it is not an OU/tree hierarchy. Keycloak’s “child groups” view only reflects hierarchical group containers (e.g., OU → CN trees), not AD’s member-of nesting.
AD provides a special matching rule that expands nested memberOf references: 1.2.840.113556.1.4.1941 (also called LDAP_MATCHING_RULE_IN_CHAIN), which can be added to the LDAP filter.
Confirmed the new LDAP filter works using ldapsearch, and imported well over 1000 users, however, it also did not work consistently due to timeout issues on the AD side it appears.
It managed to import once or twice in keycloak, but sync performance is poor, and does not always work.

Please help us on how to get this working smoothly with optimal performance

thanks in advance!

robson90 · March 31, 2026, 4:37pm

Hey,

Check your LDAP Config and group-to-group mapper Config. There should be a radio button for “preserve inheritance” or “preserve hierarchy”
probably your LDAP is then the bottleneck
I got this also for a customer. LDAP is slow as they are syncing 20k groups. Group Membership is calculated on the fly.

Dump question, can you bump up the resources of your LDAP?

Topic		Replies	Views
Keycloak group-ldap-mapper not preserving group hierarchy from LDAP ldap	2	3121	April 14, 2021
How should I sync groups from AD (LDAP) to Keycloak? Getting advice	3	19897	September 10, 2021
Groups mapped from LDAP are not showing up on the user's groups Getting advice admin-console , ldap	4	6457	August 20, 2021
Sync AD groups to Keycloak Getting advice	0	326	September 8, 2022
No User Groups Synchronization possible Getting advice	1	959	December 2, 2023