Groups mapped from LDAP are not showing up on the user's groups

I am using Keycloak 9.0.3.
I am federating user’s from LDAP.

I have also created a group-ldap-mapper to pull the groups through from LDAP.
When I look art the groups pulled through I see that the groups have members - but the members are only a subset of the full list - only about 3 or 4 out of a group that has 15 members.

Furthermore, when I look at a user listed in the group - so on the user object and go to the members tab - the user is not Group membership is empty.

So when I connect the client - roles are not pulled through to the client.
Mapping of the roles into the id token (or access token) is done with the roles mapper under the realms Client Scopes.

Is there an issue, should I update or add an additional mapper?

I have the same issue, even worse - non of my groups are mapped to the users.
did you find a solution?

No, no solution yet. But I need to upgrade keycloak to the latest to check.

Same problem suddenly appeared in Keycloak 11.0.0.
Keycloak gets users from LDAP User Federation, each user has proper list of groups.
But each group has only 1 user (the only user created without LDAP).

I’ve enabled DEBUG (as described in Docker Hub) and I see that Keycloak is doing 2 SQL queries:

    userentity1_.ID as ID1_73_,
    userentity1_.CREATED_TIMESTAMP as CREATED_2_73_,
    userentity1_.EMAIL as EMAIL3_73_,
    userentity1_.EMAIL_CONSTRAINT as EMAIL_CO4_73_,
    userentity1_.EMAIL_VERIFIED as EMAIL_VE5_73_,
    userentity1_.ENABLED as ENABLED6_73_,
    userentity1_.FEDERATION_LINK as FEDERATI7_73_,
    userentity1_.FIRST_NAME as FIRST_NA8_73_,
    userentity1_.LAST_NAME as LAST_NAM9_73_,
    userentity1_.NOT_BEFORE as NOT_BEF10_73_,
    userentity1_.REALM_ID as REALM_I11_73_,
    userentity1_.SERVICE_ACCOUNT_CLIENT_LINK as SERVICE12_73_,
    userentity1_.USERNAME as USERNAM13_73_ 
    public.USER_GROUP_MEMBERSHIP usergroupm0_ 
inner join
    public.USER_ENTITY userentity1_ 
        on usergroupm0_.USER_ID=userentity1_.ID 

WHERE usergroupm0_.GROUP_ID=?
order by
userentity1_.USERNAME limit ?


    federatedu0_.USER_ID as col_0_0_ 
    public.FED_USER_GROUP_MEMBERSHIP federatedu0_ 
    and federatedu0_.REALM_ID=? limit ?

It seems that second query returns no items or user-ids from there are ignored.

P.S. I’ve checked DB and i was right, FED_USER_GROUP_MEMBERSHIP is empty desplite that all users have groups. USER_GROUP_MEMBERSHIP is not empty.

keycloak-prod=> SELECT * FROM public.USER_GROUP_MEMBERSHIP;
d2efaaa3-1111-1111-1111-44c49036b609 | d27f52b0-1111-1111-1111-72911111112

Problem is found and fixed, our Federation had a LDAP Filter that filtered out LDAP users. Deleting LDAP Filter and re-sync helped.

Yip, my issue is somewhat fixed. The strategy I was using did not match the strategy on ldap. Instead of creating a single group mapper to pull all the groups recursively.

I have to create a group mapper for each seperate LDAP Groups DN…and then make them subgroups with a Groups Path

Not the most automated way but good enough. Now assignments works well.