Keycloak group-ldap-mapper and Active Directory Users

[Tim Klicks]

Hej all,

Hopefully one of you can help me.

I am using keycloak 11.0.0 and have added two Active Directory (AD 1 and AD 2) backends as user federations.

Getting users from them is no problem at all.

However, I now want to add a group-ldap-mapper for mapping an AD group to a keycloak internal group, respectively the users inside the AD group to have the according rights inside keycloak.

Getting the AD groups is working as well, but when it comes to the group members, the trouble starts.

The group is coming from AD 1 (ldap-group-mapper configured on AD 1) and inside the AD has members from both AD backends (AD 1 and AD 2) in it.

When now checking the imported AD group inside keycloak, I only see the users from AD 1 in it, not the once from AD 2.

I also tried to add the ldap-group-mapper on AD 2, but this does not help for getting the users in the imported group.

Do you know, if there is a way of accomplishing this?

Best Regards,

Tim.

[Tim Klicks]

Just to clear things up, the problem is still existing, maybe I have to explain the setup and the problem a bit deeper.

What we have is the following:

- Keycloak 11.0.0 as SSO solution for our newly developed applications

- 3 User Federations attached to it (1x OpenLDAP, 2x Active Directory (AD1 and AD2))

- Groups coming from OpenLDAP containing users from OpenLDAP via ldap-group mapper configured on OpenLDAP User Federation

--> this is working like a charm, so we get all groups and all the users inside these groups.

- Groups coming from Active Directory AD1 containing users from AD1 and AD2 (the Active Directories are trusting each other) via ldap-group mapper configured on AD1 User Federation

--> this is not working 100% , as we are able to get all the groups but not all the users are shown inside them. Only users from AD1 are loaded/visible inside keycloak. The users in these groups which are located in AD2 are not loaded and thus not visible.

Creating an according ldap-group mapper on AD2 is not working/solving the problem.

Did anyone face this problem and has some hint for us on how to solve this problem?

Or is the only solution to solve this problem by creating groups inside AD2 and move the users of AD2 into them?

Best Regards,
Tim.

[Ionel GARDAIS]

Hi Tim,

I've run into a similar trouble after upgrading to 11.0.0.

What are the values of "Ignore Missing Groups" and "Drop non-existing groups during sync" switches in the group-ldap-mapper for both AD1 and AD2 ?

From the top of my head, they all need to be switched OFF so you could get all your groups.

--
Ionel GARDAIS
Tech'Advantage CIO - IT Team manager

---

De: "Tim Klicks" <tim.k...@gmail.com>
À: "keycloak-user" <keyclo...@googlegroups.com>
Envoyé: Mercredi 19 Août 2020 16:02:32
Objet: [*EXT*] [keycloak-user] Re: Keycloak group-ldap-mapper and Active Directory Users

--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/483e69ab-63d8-48dd-b1c0-722f9693f82co%40googlegroups.com.

[Tim Klicks]

Hej Ionel,

Thanks for your information/update.

I checked the settings of these switches and they are all "Off"

However, I think that the problem is due to the groups coming from AD1 and containing Users from AD2 (Active Directory Trust).

If I create a ldap group mapper on AD2 User Federation, I cannot import the groups, as they are only existing in AD1 User Federation and thus I am unable to find them over User Federation AD2 :-(

MIght be, that the only solution is to create these groups in AD2 as well...

Best Regards,

Tim.

Am Mittwoch, 19. August 2020 16:18:22 UTC+2 schrieb Ionel GARDAIS:

Hi Tim,

I've run into a similar trouble after upgrading to 11.0.0.

What are the values of "Ignore Missing Groups" and "Drop non-existing groups during sync" switches in the group-ldap-mapper for both AD1 and AD2 ?

From the top of my head, they all need to be switched OFF so you could get all your groups.

--
Ionel GARDAIS
Tech'Advantage CIO - IT Team manager

---

De: "Tim Klicks" <tim....@gmail.com>

To unsubscribe from this group and stop receiving emails from it, send an email to keyclo...@googlegroups.com.

[Tim Klicks]

Hej all,

Just to inform you. There does not seem to be an easy way to fix this.

We decided to create the exact same group (same group name) in AD2 and add the users from AD2 into this group as well.

Keycloak will now import the users from both ADs into this group, as it has created this group via the name nly and not via the full path.

So we now have the group via the name and all users from AD1 and AD2 in it.

Best Regards,
Tim.

[Emma Richardson]

I had this issue on another platform.  The solution was to add another ldap instance to the global catalog on Port 3269 - this will allow you to see both AD's and bring in group members from both ads.  The only problem is that global catalog is read only.   On the other platform I was able to add two separate connections but I am not sure that works in Keycloak because it will not update a user that is in global if it is already connection to just the AD connection...but you could try it.