We have a running Keycloak 11 instance, that integrates our MS Active Directory via LDAP user federation.
We also would like to map some AD-groups to Keycloak user groups to simplify group-based authorisation in Keycloak. Therefore we configured an LDAP group mapper.
When asked for member in this group, this mapper delegates the question to LDAP. Unfortunately, it seems that only the RDN attribute of the member-references in Active Directory is employed to identify a user. This can easily be ambiguous in some AD szenarios leading to members in a Keycloak group that should not be part of it.
In more details:
Active Directory
- Two organizational units (OU1 and OU2)
- Two users (CN=User1,OU=OU1,DC=…) and (CN=User1,OU=OU2,DC=…)
- Group MyGroup (CN=MyGroup,OU=OU1,DC=…) with member Attribute
- CN=User1,OU=OU1,DC=…
User Federation: LDAP Connection to Active Directory and LDAP Group Mapper
Using this configuration the group MyGroup is imported. Although only the first user1 is part of this group in LDAP, Keycloak shows both user1 users on the Member-Tab of this group.
Taking a closer look at the code reveals, that only the first part of the member-reference is used (only the rdn), which is ambiguous in the previous scenario.
Is this a (known) bug or is the AD connection-configuration wrong?
Any help is appreciated,
Dominik