In keycloak if I create or delete a group, everything appears to work fine (an no errors are logged out in the keyCloak console). However, these changes don’t ever seem to sync with LDAP. Direct LDAP queries don’t show these new changes, and asking keycloak to “synchronise changed users” (in the “user federator” area) causes the changes to be reverted to what LDAP had stored, effectively undoing all changes to groups.
In the group mapper page, I am able to push the “Sync Keycloak Groups To LDAP” button. If I add a group and push this button, it’ll first give the error in the keycloak console “Uncaught server error: org.keycloak.models.ModelException: Could not retrieve identifier for entry [cn=,ou=Groups,dc=,dc=com].”, and then if I push the button a second time, it’ll work and sync the groups to LDAP. If I delete a group then push the button, it just works the first time. So, this is a valid workaround, but it’s not ideal for us to have to train people to push this button whenever they create/delete groups, and to ignore errors that pop up.
Here’s how our group mapper is configured:
And if I query for a group in LDAP, here’s how it looks like:
dn: cn=exampleGroup,ou=Groups,dc=searchappliance,dc=com objectClass: groupOfNames objectClass: top cn: exampleGroup member: cn=empty-membership-placeholder member: uid=exampleuser,ou=People,dc=searchappliance,dc=com
I’m running keycloak version 17