I am using Keycloak 9.0.3.
I am federating user’s from LDAP.
I have also created a group-ldap-mapper to pull the groups through from LDAP.
When I look art the groups pulled through I see that the groups have members - but the members are only a subset of the full list - only about 3 or 4 out of a group that has 15 members.
Furthermore, when I look at a user listed in the group - so on the user object and go to the members tab - the user is not Group membership is empty.
So when I connect the client - roles are not pulled through to the client.
Mapping of the roles into the id token (or access token) is done with the roles mapper under the realms Client Scopes.
Is there an issue, should I update or add an additional mapper?
Same problem suddenly appeared in Keycloak 11.0.0.
Keycloak gets users from LDAP User Federation, each user has proper list of groups.
But each group has only 1 user (the only user created without LDAP).
I’ve enabled DEBUG (as described in Docker Hub) and I see that Keycloak is doing 2 SQL queries:
select
userentity1_.ID as ID1_73_,
userentity1_.CREATED_TIMESTAMP as CREATED_2_73_,
userentity1_.EMAIL as EMAIL3_73_,
userentity1_.EMAIL_CONSTRAINT as EMAIL_CO4_73_,
userentity1_.EMAIL_VERIFIED as EMAIL_VE5_73_,
userentity1_.ENABLED as ENABLED6_73_,
userentity1_.FEDERATION_LINK as FEDERATI7_73_,
userentity1_.FIRST_NAME as FIRST_NA8_73_,
userentity1_.LAST_NAME as LAST_NAM9_73_,
userentity1_.NOT_BEFORE as NOT_BEF10_73_,
userentity1_.REALM_ID as REALM_I11_73_,
userentity1_.SERVICE_ACCOUNT_CLIENT_LINK as SERVICE12_73_,
userentity1_.USERNAME as USERNAM13_73_
from
public.USER_GROUP_MEMBERSHIP usergroupm0_
inner join
public.USER_ENTITY userentity1_
on usergroupm0_.USER_ID=userentity1_.ID
WHERE usergroupm0_.GROUP_ID=?
order by
userentity1_.USERNAME limit ?
and
select
federatedu0_.USER_ID as col_0_0_
from
public.FED_USER_GROUP_MEMBERSHIP federatedu0_
WHERE
federatedu0_.GROUP_ID=?
and federatedu0_.REALM_ID=? limit ?
It seems that second query returns no items or user-ids from there are ignored.
P.S. I’ve checked DB and i was right, FED_USER_GROUP_MEMBERSHIP is empty desplite that all users have groups. USER_GROUP_MEMBERSHIP is not empty.
keycloak-prod=> SELECT * FROM public.FED_USER_GROUP_MEMBERSHIP;
keycloak-prod=>
keycloak-prod=> SELECT * FROM public.USER_GROUP_MEMBERSHIP;
d2efaaa3-1111-1111-1111-44c49036b609 | d27f52b0-1111-1111-1111-72911111112
P.P.S.
Problem is found and fixed, our Federation had a LDAP Filter that filtered out LDAP users. Deleting LDAP Filter and re-sync helped.
Yip, my issue is somewhat fixed. The strategy I was using did not match the strategy on ldap. Instead of creating a single group mapper to pull all the groups recursively.
I have to create a group mapper for each seperate LDAP Groups DN…and then make them subgroups with a Groups Path
Not the most automated way but good enough. Now assignments works well.