Possible bug in LDAP Group mapper regarding ObjectClass

We are using Keycloak 11.0.3 and I am having a bit of an issue trying to satisfy a requirement which I gave by granted it could be done, but it seems I cannot do it. To me it seems a mistake on the design or perhaps a bug, and also, perhaps it might be easy to fix.

Also, my apologies in advance if I am not writind/addresing this in the righ place, I though it would be better to write something first here before send any email to devs.

The context is LDAP Federation ( AD, but in this case is not relevant if AD or any other LDAP ) . More specifically the ldap-group-mapper. And the problem it seems the impossibility to use more than 1 objectclass in the ldap-group-mapper .

The scenario is the following: Create a ldap group mapper, by default the object class will be only “group” ( if AD, groupOfUIniqueName I guess if any other ldap ). Now, imagine you want to define additional attributes for your groups in keycloak, and , of ocurse, you want these attributes into AD. To use those attruibutes, perhaps you need some additional Abstract Class ( perhaps, OrgnizationalPerson ). Now, you might think , well, I modify the ldap-group-mapper to add , besides objectclass “group” , the class “OrganizationalPerson” ( let’s assume we choose the correct objectclass, there certain combinations that are not allowed, I know that )

Well, this will not work, when you CREATE a new group in Keycloak and want to sync from Keycloak to LDAP. and the reason it will not work, I think, is this


The way I understand org.keycloak.common.util.MultivaluedHashMap<K,V> it means it will get the first of the object classes you define, because maps are not ordered. Actually, I am not sure it will be the first one exactly, let’s say it will be just one.

For instance, I define my ldap-group-mapper with the following objectClassess: top, group, person, organizationalPerson… I set Keycloak in DEBUG and I see

17:41:29,959 TRACE [org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager] (default task-7) Creating entry [cn=TESTGROUP,***********************] with attributes: [
17:41:29,959 TRACE [org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager] (default task-7) objectclass = top
17:41:29,959 TRACE [org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager] (default task-7) cn = TESTGROUP
17:41:29,959 TRACE [org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager] (default task-7) ]

As you can see, ONLY ONE GROUP was sent in the objectClass
In my opinion, this, unnecessarily limits the possibilities of use of Keycloak, why ? Is there a reason ?

NOTE: As this is my first “contribution” here I rather write all this stuff here than start sending emails, if that is not the correct place , my apoligies.

NOTE2: The reason I did not create a pull request or similar is because I am not exactly a skilled developer, and Java is not my “forte”