1

I am trying to map an AD Group I have into Keycloak, which I think I have done at least mostly correctly like so:

current config

My issue is that, when I do this then sync then go look at the members of my group in keycloak, I see one more 'John Smith' user that is not supposed to be there (one is in my AD group, the other is not).

While the users share similar/identical English names and are both in my org's overall LDAP user federation, certainly I have confirmed that they have different email addresses and different 'Windows 2000' user IDs. Thus I am a bit lost as to why the extra John Smith is showing up in the keycloak group.

Admittedly I probably don't fully understand the nuances of all the fields in this configuration :).

UPDATE 4/8/22, from @Hamza Tahiri 's comment:

  • I am trying to sync my LDAP users to my keycloak users (specifically only those in one AD group)
  • I see several 'John Smiths' in my organization's LDAP but only one of them is in my AD Group. My issue is that TWO of these John Smith's are showing up in my keycloak group when I map it in from the AD group, vs just the one I as seen in my AD group
  • the full DN's of the users: I'm inferring this is the same as the LDAP_ENTRY_DN that I see in their attributes in keycloak? Let me know ifi should look somewhere else, but at least this field is DIFFERENT between the two John Smiths. The pattern of difference is as follows (triple-letters are obfuscated place-holders):
    • CN=John Smith,OU=AAA,OU=BBB,DC=XXX,DC=YYY,DC=ZZZ
    • CN=John Smith,OU=CCC,OU=BBB,DC=XXX,DC=YYY,DC=ZZZ
  • the LDAP_ID attributes in keycloak are also DIFFERENT between the users
aamailhot
  • 113
  • 2
  • 8
  • Question unclear, where does the two jhons exists initially? keycloak ? ldap? what thier full dn? do you sync from ldap to keycloak or the other way around? – Hamza Tahiri Apr 06 '22 at 15:00
  • sorry, i am still learning keycloak/ldap over here so rather newbie. I tried to answer your questions in an update to the main post, let me know – aamailhot Apr 08 '22 at 18:40

1 Answers1

0

The group filtering is not done correctly, or indeed the two users are members of the same groups, a workaround would be to change to search base(ldaps-groups-dn) to: OU=AAA,OU=BBB,DC=XXX,DC=YYY,DC=ZZZ.

The connecter you configured will map distant groups (AD groups), to keycloak groups, for users already imported or linked in keycloak, if this is really what you wanted in teh first place, then we can safely assume the the filtering is not working, what i would try to resolve the issue:

1 - Do an ldap search using the same value in the connector, something like:

ldapsearch -x -b <search_base> -H <ldap_host> -D <bind_dn> -W "objectclass=groups" -s sub "(&(objectclass=groups)(uid=john))"

The objective is to see if all the data you entered indeed will show the target groups.

2 - For some uknown reasons i did have some issues with the search mode parameter in keycloak, feel free to change it and see if the r chaesultsnge.

Hope this helps, feel free to update the question if you have more inputs from the differents ldapsearch you need to do in order to debug this.

Hamza Tahiri
  • 488
  • 3
  • 13