I’m playing with dynamic groups in LDAP (Group Object Classes: groupOfURLs; Membership LDAP Attribute: member). We are using keycloak 12.0.2 docker image.
Keycloak is able to fetch the group but not the members. Debugging the LDAP queries via tcpdump (after disabling TLS) helped to understand the reason:
The LDAP Client in keycloak is setting LDAP ManageDSA IT Control RFC 3296: References
man ldapsearch
-M[M] Enable manage DSA IT control. -MM makes control critical.
ldapsearch w/o this flag is working fine:
# dyntest, dyngroups, groups, example.com
dn: cn=dyntest,ou=dyngroups,ou=groups,dc=example,dc=com
cn: dyntest
objectClass: groupOfURLs
objectClass: top
entryUUID: 07ee873e-04aa-103b-9e72-952f9e4d90e3
memberURL: ldap:///ou=people,dc=example,dc=com?uid?sub?(uid=hans.dampf)
memberURL: ldap:///ou=foo,ou=people,dc=example,dc=com?uid?one?(objectClass=person)
member: uid=hans.dampf,ou=dev-berlin,ou=people,dc=example,dc=com
member: uid=xxx.yyy,ou=foo,ou=people,dc=example,dc=com
member: uid=xxx.ccc,ou=foo,ou=people,dc=example,dc=com
With this flag (ldapsearch -M) enabled the memberURLs are not resolved to member attributes on the server:
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <ou=dyngroups,ou=groups,dc=example,dc=com> with scope subtree
# filter: (&(cn=dyntest)(objectClass=groupOfURLs))
# requesting: ALL
# with manageDSAit control
#
# dyntest, dyngroups, groups, example.com
dn: cn=dyntest,ou=dyngroups,ou=groups,dc=example,dc=com
cn: dyntest
objectClass: groupOfURLs
objectClass: top
memberURL: ldap:///ou=people,dc=example,dc=com?uid?sub?(uid=hans.dampf)
memberURL: ldap:///ou=foo,ou=people,dc=example,dc=com?uid?one?(objectCla
ss=person)
Is it possible to disable this flag somehow or why it is used?