Problems viewing and leaving groups (Keycloak version 12.0.4)

467 views
Skip to first unread message

Pål Christian Glenna Iversen

unread,
Apr 29, 2021, 6:16:50 AM4/29/21
to Keycloak User

Hello!


In my organization we have newly adapted Keycloak (version 12.0.4) with the purpose of streamlining authentication. Let me first start by saying that the product works great, however we have ran into one issue in regard to leaving and viewing group memberships for local Keycloak groups.

All our users are imported from Active Directory (AD) using LDAP (READ-ONLY mode), this integration also contain a group mapper. The group mapper imports groups from AD, and it is configured with the options shown below. Our groups are organized in subgroups, all groups imported from LDAP are located under the AD group, while local groups are in the Keycloak group. (See screenshot) The functionally related to AD groups works just fine, however the group mapper causes issues with local Keycloak groups. We have two main problems; firstly, we are not able to see all the group members of local groups (see screenshot), secondly it is not possible to remove members from local groups (Adding works). In both cases the server tries to make a LDAP query, even though the groups are only created locally in Keycloak. The groups that are imported with LDAP, works as expected.  

 

My question is therefore whether we are trying to use Keycloak in a way that is not supported or if this is a bug? Any feedback would be greatly appreciated!

Screenshot 2021-04-29 at 11.15.40.png
Screenshot 2021-04-29 at 11.15.19.pngScreenshot 2021-04-29 at 11.16.50.png
Screenshot 2021-04-29 at 11.17.35.png

To make it easier to debug, I will also include the error from the logs:
View group members:
```ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-32) Uncaught server error: com.fasterxml.jackson.databind.JsonMappingException: LDAP Query failed

```

Leave group:
``` ERROR [org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager] (default task-31) Could not query server using DN [MY_QUERY] and filter [(&(cn=test)(member=USER_INFO)(objectclass=group))]: javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-031529DD, problem 2001 (NO_OBJECT), data 0, best match of:

```

Best regards
Pål Christian Iversen




 

Reply all
Reply to author
Forward
0 new messages