How should I sync groups from AD (LDAP) to Keycloak?

Getting advice
1

I have set up my groups within OU=Organization Structure as shown here

https://raw.githubusercontent.com/ackerleytng/kc-ad-exploration/master/provisioned-ad-structure.svg

When I import the groups using group-ldap-mapper in keycloak, I use the following settings:

LDAP Groups DN: OU=Organization Structure,DC=vdom,DC=local
Group Name LDAP Attribute: cn
Group Object Classes: group
Ignore Missing Groups: True
Membership LDAP Attribute: member
Membership Attribute Type: DN
LDAP Filter:
Mode: READ_ONLY
User Groups Retrieve Strategy: LOAD_GROUPS_BY_MEMBER_ATTRIBUTE
Mapped Group Attributes:
Drop non-existing groups during sync: False

Two issues:

(1) If I disable ignore missing groups, on import, Keycloak complains:

Uncaught server error: org.keycloak.models.ModelException: Couldn’t
resolve groups from LDAP. Fix LDAP or skip preserve inheritance. Details: Group ‘Charlie Z
oe’ referenced as member of group ‘Appdev’ doesn’t exists

But Charlie Zoe isn’t a group, it’s a user! How do I configure Keycloak to understand that?

(2) If I enable ignore missing groups, the import proceeds fine, and the Groups tab for each user shows the correct group. However, if I go to Groups and select Members, I get a NullPointerException?

2
  1. From reviewing the code around this, when resolving group trees from a federation provider, there is an assumption that members of groups are also groups. I don’t understand how this could ever be the case. So the configuration you have above (with ignore missing groups set to true) is correct. This gets around the issue, but prevents erroneous entries from your LDAP instance being detected.
  2. Can you share the null pointer you are getting here? I am not seeing the same issue.
3

Sorry I took a while to get back to this!

  1. Yes, sounds like it’s not a good assumption that members of groups are always groups. Here’s the backtrace from the first case, with “ignore missing groups” disabled.
    https://pastebin.com/3GwYb2Bw

  2. I just re-set up the entire environment to reproduce this again, and I can’t reproduce this either. I think there might be something else about my previous config that was causing this. I guess we can just focus on the first issue then!

4

Jumping into this ,“ignore missing groups” fixed my issue. You really made my day !!