Keycloak version: 10.0.2
Java version: 1.8.0_232
OpenLDAP: slapd 2.4.44
MariaDB: MariaDB-server-10.4.13-1
We have nested/hierarchical groups in our domain LDAP defined like “dn: ou=company,ou=groups,dc=widgets,dc=com” and “dn: ou=recruiting,ou=company,ou=groups,dc=widgets,dc=com” but when mapped to Keycloak, the “recruiting” and “company” groups are both at the root level instead of preserving the nesting. Does the group-ldap-mapper support preserving the nesting?
If I create the same groups in Keycloak instead of LDAP, they appear nested in Keycloak but recruiting ends up as “dn: cn=recruiting,ou=groups,dc=widgets,dc=com” in LDAP.
MemberOf mapping configs are:
- ID: a UUID
- Name: MemberOf
- Mapper Type: group-ldap-mapper
- LDAP Groups DN: ou=groups,dc=widgets,dc=com
- Group Name LDAP Attribute: cn
- Group Object Classes: groupOfNames
- Preserve Group Inheritance: On
- Ignore Missing Groups: Off
- Membership LDAP Attribute member
- Membership Attribute Type: DN
- Membership User LDAP Attribute: uid
- LDAP Filter:
- Mode: LDAP_ONLY
- User Groups Retrieve Strategy: LOAD_GROUPS_BY_MEMBER_ATTRIBUTE
- Member-Of LDAP Attribute: memberOf
- Mapped Group Attributes: description
- Drop non-existing groups during sync: Off
We did try changing Group Object Classes to be “organizationalUnit” and tried changing Group Name LDAP Attribute to be “ou”, but neither changed this behavior. We’re happy to change our LDAP definitions to something that will match the hierarchy in Keycloak, but just don’t know what that would be.