I have a Keycloak with an openLDAP User Federation. In the LDAP, I have a user 'someUser' that belongs to multiple groups, namely:
dn: cn=developers,ou=groups,dc=example,dc=com
changetype: add
objectclass: groupOfNames
member: cn=architects,ou=groups,dc=example,dc=com
dn: cn=architects,ou=groups,dc=example,dc=com
changetype: add
objectclass: groupOfNames
member: uid=someUser,ou=People,dc=example,dc=com
On my Keycloak, for the LDAP I have created an LDAP Mapper for the roles, like the following
The problem is that when I try to get a token on behalf of the user 'someUser' only the role 'architects' appears on the token. Based on the LDAP nesting grouping, I expected that both 'architects' and 'developer' roles would have appear on the token.
Based on other answers on similar topics I try to add to the LDAP filter the following:
memberOf:1.2.840.113556.1.4.1941
But this seams to only work with Microsoft Active Directory.
My question is, what do I have to do in order to have both roles 'architects' and 'developer' in token? ( besides having to hardcoding them).
Try replacing member and objectclass in:
dn: cn=developers,ou=groups,dc=example,dc=com
changetype: add
objectclass: groupOfURLs
memberURL: ldap:///cn=architects,ou=groups,dc=example,dc=com?sub?(objectclass=*)
This kind of group defining is called dynamic groups, you should try ldapsearch in your openldap to see if the directory send the correct objects, for example:
./ldapsearch -h localhost--port 1389 -D "cn=Directory Manager" -w "password" -b "uid=someUser,ou=People,dc=example,dc=com" -s sub "(objectclass=*)" member
For more info: https://www.zytrax.com/books/ldap/ch11/dynamic.html