Same problem suddenly appeared in Keycloak 11.0.0.
Keycloak gets users from LDAP User Federation, each user has proper list of groups.
But each group has only 1 user (the only user created without LDAP).
I’ve enabled DEBUG (as described in Docker Hub) and I see that Keycloak is doing 2 SQL queries:
userentity1_.ID as ID1_73_,
userentity1_.CREATED_TIMESTAMP as CREATED_2_73_,
userentity1_.EMAIL as EMAIL3_73_,
userentity1_.EMAIL_CONSTRAINT as EMAIL_CO4_73_,
userentity1_.EMAIL_VERIFIED as EMAIL_VE5_73_,
userentity1_.ENABLED as ENABLED6_73_,
userentity1_.FEDERATION_LINK as FEDERATI7_73_,
userentity1_.FIRST_NAME as FIRST_NA8_73_,
userentity1_.LAST_NAME as LAST_NAM9_73_,
userentity1_.NOT_BEFORE as NOT_BEF10_73_,
userentity1_.REALM_ID as REALM_I11_73_,
userentity1_.SERVICE_ACCOUNT_CLIENT_LINK as SERVICE12_73_,
userentity1_.USERNAME as USERNAM13_73_
userentity1_.USERNAME limit ?
federatedu0_.USER_ID as col_0_0_
and federatedu0_.REALM_ID=? limit ?
It seems that second query returns no items or user-ids from there are ignored.
P.S. I’ve checked DB and i was right, FED_USER_GROUP_MEMBERSHIP is empty desplite that all users have groups. USER_GROUP_MEMBERSHIP is not empty.
keycloak-prod=> SELECT * FROM public.FED_USER_GROUP_MEMBERSHIP;
keycloak-prod=> SELECT * FROM public.USER_GROUP_MEMBERSHIP;
d2efaaa3-1111-1111-1111-44c49036b609 | d27f52b0-1111-1111-1111-72911111112
Problem is found and fixed, our Federation had a LDAP Filter that filtered out LDAP users. Deleting LDAP Filter and re-sync helped.