Map roles from ldap

Hi!

I’m trying GitHub - sventorben/keycloak-restrict-client-auth: A Keycloak authenticator to restrict authorization on clients

And i’m stuck in a problem

Creating the role "restricted-access’ to a client works.
Users without this role assigned, can not login to the client.
Then i can manually assign the role for each client to the users. Then they can login into clients, which role they have assigned.

But… in my ldap (where users come from in keycloak) i’ve groupOfNames named “perm-app-_users” and “perm-app-_admins”

And when a user is member in one of those 2 ldap-groups it should get access to the app. In keycloak the user should get mapped the group(s) to the client-role “restricted-access” for

Is such a mapping possible? And how can i do this?

There’s no LDAP group to KC role mapper ootb.
But you can try to sync the LDAP groups to KC and assign the respective role(s) to this group. This way, the users in this group(s) will inherit the roles from the group.

Thank you.
You mean, i should sync ldapgroups as groups in kc not as roles?

Yes, sync the groups from LDAP to KC as groups, then assign the roles to these groups.

Ok.
And some kind of automatism is not possible, to add roles based on a pattern to the groups?

not with default resources, you’d have to implement your custom mapper for doing such things

Ok. Thank you.
Seems to work now.