I need to configure keyCloak so that it stores group membership information on each user object. I noticed that the User Federation > Ldap > LDAP Mappers > groups page gives you the option to do this sort of thing - you’re able to configure the “User Groups Retrieve Strategy” to be "GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE". Our current LDAP setup uses the groupOfNames object class for groups, and the person object class for users, so keyCloak should be able to retrieve and edit group information from both the user objects and group objects.
Using the GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE option seems to correctly cause keyCloak to be able to fetch group information via memberof attributes on the users, but it makes everything related to user management completely busted.
For example, you can create a group, but the new group is not added to LDAP, and will disappear as soon as I sync with LDAP.
I also tested adding a user to a group, in the groups tab, within the general “users” area. Doing so causes a “Success” notification to appear, but nothing in the UI actually updates, i.e. the “group membership” column doesn’t show any new groups. The only thing that changes is the icon next to the group I tried to add gets a little lighter, but if I refresh the page, that goes away too.
The group object in LDAP does in fact update when I do this, but the user object does not.
All of this worked a lot better when I have the “User Groups Retrieve Strategy” setting set to "LOAD_GROUPS_BY_MEMBER_ATTRIBUTE" instead, but it still doesn’t fully work. I can add and remove users from groups as expected (though, it will only update the group object, not the user object which is expected, because that’s how it’s configured now, but it’s not what we want). I can also create a new group, but trying to add a new user to that group gave me this error:
org.keycloak.models.ModelException: Could not retrieve identifier for entry [cn=kGroup5,ou=Groups,dc=ourOrganization,dc=com]
If I try a second time, it’s able to succeed (I repeated this three times, it always works just fine on the second attempt). It’s possible this is just an unrelated red herring, but I figured it’s important to show that it’s not quite fully working, even when I use the "LOAD_GROUPS_BY_MEMBER_ATTRIBUTE" option.
I’m using keyCloak version 17, Quarkus edition.