We’re looking at switching our product to use keyCloak for authentication and user-management. We have already been using LDAP, and have a wonky setup where we have been storing the user-group relationship on both the user objects and the group objects in LDAP.
For example, a group with user’s “person1” and “person2” would have these attributes (yes, the same group is stored in two different attributes):
member: uid=person1,ou=People,dc=example,dc=com member: uid=person2,ou=People,dc=example,dc=com memberUid: person1 memberUid: person2
And a user with groups “group1” and “group2” would have these attributes:
memberOf: cn=group1,ou=Groups,dc=example,dc=com memberOf: cn=group2,ou=Groups,dc=example,dc=com
Is it possible to configure keyCloak to support this kind of setup? I’ve been able to figure out how create a custom group-ldap-mapper to import groups based on one of these attributes, but I couldn’t find any configuration to have it support reading and updating from all three.
If this isn’t possible to do, that’s fine. We’re wanting to eventually refactor some things to allow us to take out this two-way user-group binding system we have, but it would be nice if this refactoring didn’t have to be done right now.