Keycloak group-ldap-mapper not preserving group hierarchy from LDAP

Keycloak version: 10.0.2

Java version: 1.8.0_232

OpenLDAP: slapd 2.4.44

MariaDB: MariaDB-server-10.4.13-1

We have nested/hierarchical groups in our domain LDAP defined like “dn: ou=company,ou=groups,dc=widgets,dc=com” and “dn: ou=recruiting,ou=company,ou=groups,dc=widgets,dc=com” but when mapped to Keycloak, the “recruiting” and “company” groups are both at the root level instead of preserving the nesting. Does the group-ldap-mapper support preserving the nesting?

If I create the same groups in Keycloak instead of LDAP, they appear nested in Keycloak but recruiting ends up as “dn: cn=recruiting,ou=groups,dc=widgets,dc=com” in LDAP.

MemberOf mapping configs are:

  1. ID: a UUID
  2. Name: MemberOf
  3. Mapper Type: group-ldap-mapper
  4. LDAP Groups DN: ou=groups,dc=widgets,dc=com
  5. Group Name LDAP Attribute: cn
  6. Group Object Classes: groupOfNames
  7. Preserve Group Inheritance: On
  8. Ignore Missing Groups: Off
  9. Membership LDAP Attribute member
  10. Membership Attribute Type: DN
  11. Membership User LDAP Attribute: uid
  12. LDAP Filter:
  13. Mode: LDAP_ONLY
  14. User Groups Retrieve Strategy: LOAD_GROUPS_BY_MEMBER_ATTRIBUTE
  15. Member-Of LDAP Attribute: memberOf
  16. Mapped Group Attributes: description
  17. Drop non-existing groups during sync: Off

We did try changing Group Object Classes to be “organizationalUnit” and tried changing Group Name LDAP Attribute to be “ou”, but neither changed this behavior. We’re happy to change our LDAP definitions to something that will match the hierarchy in Keycloak, but just don’t know what that would be.

Did you find a solution ? We have the same issue

We did not. We happened to also have the hierarchy in our database so we worked around this by mapping the user’s organization to those values. If you do find a solution to this, please share!