Role LDAP Mapper : add primary group to role

Hello,

Here is my use case and issue :

We are using keycloak to Authenticate and Aurthorize users via Kerberos and LDAP to an OpenID Connect client (application).

We have managed to do the following :

  • Authenticate users against our Kerberos infrastructure.
  • Authorize users against the LDAP secondary groups.

The questions is related to the second part : Authorization. We want to retrieve both the primary and secondary groups from the LDAP.
Our LDAP is a “standard” RFC2307 OpenLDAP. That is to say that groups membership are structured as such :

  • User (dn: uid=johndoe,ou=People,dc=company,dc=com)
    |__ …
    |__ gidNumber: 1234 (primary group)
    |__ uidNumber: 4567
    |__ …

  • Group (dn: cn=group0,ou=Group,dc=company,dc=com)
    |__ gidNumber: 1234

  • Group (dn: cn=group1,ou=Group,dc=company,dc=com)
    |__ gidNumber: 1111
    |__ …
    |__ memberUid: 8888
    |__ memberUid: 4567
    |__ …

  • Group (dn: cn=group2,ou=Group,dc=company,dc=com)
    |__ gidNumber: 2222
    |__ …
    |__ memberUid: 9999
    |__ memberUid: 4567
    |__ …

As you can see, user johndoe(uid: 1234) is member of those groups

  • group0 : its primary groups
  • group1 : a secondary group
  • group2 : another secondary group

User points to its primary group via its gidNumber but not to the secondary groups.
The user’s primary group does not point back the user.
The secondary groups do point to the user.

In this context, we have been able to map secondary LDAP groups to roles via a mapper of “type” “LOAD_ROLES_BY_MEMBER_ATTRIBUTE” in ou LDAP User Federation. On the contrary, we have not been able to retrieve the gidNumber attribute linked to the user.
Even with a mapper of type “LOAD_ROLES_BY_MEMBER_ATTRIBUTE”, we are not able to retrieve that information. Ideally, we would even need to retrieve the group cn in place of its gidNumber :

In a nutshell, this is what we have now :
user johndoe has roles [group1, group2]

And this is what we would like for johndoe’s roles : [group0, group1, group2]

Thanks in advance for your help
Christophe.

Sorry I just realized there is a mistake in my post :slight_smile:

The following sentence :

Even with a mapper of type “LOAD_ROLES_BY_MEMBER_ATTRIBUTE”, we are not able to retrieve that information. Ideally, we would even need to retrieve the group cn in place of its gidNumber :

Should read :
Even with a mapper of type “GET_ROLES_FROM_USER_MEMBEROF_ATTRIBUTE”, we are not able to retrieve that information. Ideally, we would even need to retrieve the group cn in place of its gidNumber :

Thanks for your help

Hi Cristophe,

I’m facing the same problem as you. Our LDAP is also a “standard” RFC2307 OpenLDAP.

Did you manage to solve this problem?

Thanks in advance,
Esther.

Hello Esther,
Unfortunately not, the solution we will probably adopt, for the time being, will be to modify the ldap so that the primary groups point back to the user.
If you find a solution via the GET_ROLES_FROM_USER_MEMBEROF_ATTRIBUTE mapper, please update me !

Thanks in avdance.
Christophe

Hello Chrousto,

Maybe, your groups are not imported properly in keycloack.
There are 2 types of groups object classes in LDAP.

  1. groupofuniquenames
  2. groupofnames

First, you identify in which class you are creating groups.
If your group class is ‘groupofnames’ then its member will store into member attribute in LDAP and users will show the ‘memberof’ attribute in user entity.
In this scenario it will import users from GET_ROLES_FROM_USER_MEMBEROF_ATTRIBUTE mapper.

In second case if your group object class is ‘groupofuniquenames’ then it will store group members into ‘uniquemember’ attribute. Probably you are using ‘groupofuniquenames’ object class that’s why your users and groups are not importing properly.

Solution: to resolve this issue bind the mapper’s property properly.

Role Object Classes: groupOfNames / groupofuniquenames
Membership LDAP Attribute : member / uniquemember
Member-Of LDAP Attribute : memberOf

Moreover, memeberof attribute will not come by default in users entity in LDAP. We need to enable this plugin.

Hello @pkadian,
Thanks for your feedback, unfortunately, what you are describing, although true, is not applicable to our RFC 2307 LDAP context :

\# ldapsearch -xLL -b 'xxxxxxxxxxxx'  -H 'xxxxxxxxxxxx'  | grep Class | grep -i group | uniq
objectClass: posixGroup

Thanks.