CODEWITHSUNDEEP
ldapkeycloakopenldapnested-groups
dreamcrash
dreamcrash

Reputation: 51443

How to read nested groups in OpenLdap connected to Keycloak

I have a Keycloak with an openLDAP User Federation. In the LDAP, I have a user 'someUser' that belongs to multiple groups, namely:

dn: cn=developers,ou=groups,dc=example,dc=com
changetype: add
objectclass: groupOfNames
member: cn=architects,ou=groups,dc=example,dc=com

dn: cn=architects,ou=groups,dc=example,dc=com
changetype: add
objectclass: groupOfNames
member: uid=someUser,ou=People,dc=example,dc=com

On my Keycloak, for the LDAP I have created an LDAP Mapper for the roles, like the following

The problem is that when I try to get a token on behalf of the user 'someUser' only the role 'architects' appears on the token. Based on the LDAP nesting grouping, I expected that both 'architects' and 'developer' roles would have appear on the token.

Based on other answers on similar topics I try to add to the LDAP filter the following:

memberOf:1.2.840.113556.1.4.1941

But this seams to only work with Microsoft Active Directory.

My question is, what do I have to do in order to have both roles 'architects' and 'developer' in token? ( besides having to hardcoding them).

Upvotes: 2

Views: 4659

Answers (1)

Hamza Tahiri
Hamza Tahiri

Reputation: 506

Try replacing member and objectclass in:

dn: cn=developers,ou=groups,dc=example,dc=com
changetype: add
objectclass: groupOfURLs
memberURL: ldap:///cn=architects,ou=groups,dc=example,dc=com?sub?(objectclass=*)

This kind of group defining is called dynamic groups, you should try ldapsearch in your openldap to see if the directory send the correct objects, for example:

  ./ldapsearch -h localhost--port 1389 -D "cn=Directory Manager" -w "password" -b "uid=someUser,ou=People,dc=example,dc=com" -s sub "(objectclass=*)" member

For more info: https://www.zytrax.com/books/ldap/ch11/dynamic.html

Upvotes: 1

Related Questions