You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
by default, openldap does not support nested groups the way people think it does. LDAP instead expects the software requesting the information to unpack any nested groups to create the full group list.
Dynamic groups are also not widely supported and its implementation is obtuse at best.
Ideally, the group mapper would have a toggle to "flatten" group membership in keycloak when sending them to LDAP - essentially converting nested groups into static groups. The end result of this is allowing keycloak to be a source of truth to build static ldap groupOfNames that standard applications can leverage identically to how they are applied inside of keycloak.
This should be a toggle option because it would break ldap-->keycloak group memberships. The intended use case here is to use keycloak as the frontend and feed information into LDAP so that applications that do not have feature-rich OIDC/SAML support can use LDAP for users and groups.
Discussion
No response
Motivation
While LDAP will happily store a group inside of a group, it does not behave the way one would think. LDAP does not automatically unpack nested groups when searched, it instead relies of the querying software to do the unpacking. Furthermore, many applications do not reasonably handle groups provided in the authentication token, if at all. Instead, LDAP would need to be used for centralized group management
Details
as stated, it may make sense to add this feature to the group mapper for LDAP connections. It will need to be toggleable because if the flattened groups were synchronized back to keycloak it might disrupt the permissions schema an admin has created.
The text was updated successfully, but these errors were encountered:
Description
by default, openldap does not support nested groups the way people think it does. LDAP instead expects the software requesting the information to unpack any nested groups to create the full group list.
Dynamic groups are also not widely supported and its implementation is obtuse at best.
Ideally, the group mapper would have a toggle to "flatten" group membership in keycloak when sending them to LDAP - essentially converting nested groups into static groups. The end result of this is allowing keycloak to be a source of truth to build static ldap groupOfNames that standard applications can leverage identically to how they are applied inside of keycloak.
This should be a toggle option because it would break ldap-->keycloak group memberships. The intended use case here is to use keycloak as the frontend and feed information into LDAP so that applications that do not have feature-rich OIDC/SAML support can use LDAP for users and groups.
Discussion
No response
Motivation
While LDAP will happily store a group inside of a group, it does not behave the way one would think. LDAP does not automatically unpack nested groups when searched, it instead relies of the querying software to do the unpacking. Furthermore, many applications do not reasonably handle groups provided in the authentication token, if at all. Instead, LDAP would need to be used for centralized group management
Details
as stated, it may make sense to add this feature to the group mapper for LDAP connections. It will need to be toggleable because if the flattened groups were synchronized back to keycloak it might disrupt the permissions schema an admin has created.
The text was updated successfully, but these errors were encountered: