allow ldap group mapper to flatten nested groups

[andrewmeyer]

Description

by default, openldap does not support nested groups the way people think it does. LDAP instead expects the software requesting the information to unpack any nested groups to create the full group list.

Dynamic groups are also not widely supported and its implementation is obtuse at best.

Ideally, the group mapper would have a toggle to "flatten" group membership in keycloak when sending them to LDAP - essentially converting nested groups into static groups. The end result of this is allowing keycloak to be a source of truth to build static ldap groupOfNames that standard applications can leverage identically to how they are applied inside of keycloak.

This should be a toggle option because it would break ldap-->keycloak group memberships. The intended use case here is to use keycloak as the frontend and feed information into LDAP so that applications that do not have feature-rich OIDC/SAML support can use LDAP for users and groups.

Discussion

No response

Motivation

While LDAP will happily store a group inside of a group, it does not behave the way one would think. LDAP does not automatically unpack nested groups when searched, it instead relies of the querying software to do the unpacking. Furthermore, many applications do not reasonably handle groups provided in the authentication token, if at all. Instead, LDAP would need to be used for centralized group management

Details

as stated, it may make sense to add this feature to the group mapper for LDAP connections. It will need to be toggleable because if the flattened groups were synchronized back to keycloak it might disrupt the permissions schema an admin has created.