Mapping LDAP groups to existing keycloak groups - keycloak

By following the keycloak documentation: https://www.keycloak.org/docs/latest/server_admin/#_ldap_mappers
I created a group mapper like this:
But I don't see an option to give the name keycloak group so that the imported ldap group can be mapped to this group.
Instead , when I "Sync LDAP Groups to Keycloak Groups" , a new group with the name of ldap group is created.
Any idea how to map existing ldap groups to a single keycloak group ?

Default LDAP Provider doesn't provide this option, the only way is custom federation provider. Override this logic in it if you need. ImportSynchronization interface is responsible for it.

Related

User descriptions missing when OpenLDAP used with WebLogic

I am using a WebLogic 12.2.1.3 server on Linux. I added an OpenLDAP provider in the security realm. Now I see the list of users and group memberships in WebLogic as defined in LDAP and can login with one of those user cn's and password.
So far, so good.
However, in the Users and Groups list, the description column is blank for the LDAP entries. Which attribute should be added to the LDAP object to fill this?
The field is just named "description" for me

BPM Process for User Group (keycloak)

I've just integrated keycloak with jBPM. Now I can login to jBPM console with keycloak user's credentials and get related roles.
I created some User Groups in keyClock console and mapped some users along with those
User Groups in keyClock console. But I don't have any User Groups in jBPM that I mapped to my user in Keycloak console.
I have created (BPM) process with human task assigned to User Group (entered name of User Group created in Keycloak). This task was unavailable for the user that had this User Group in keycloak mapping.
How to map users to a group using keyCloak that reflects in jBPM?
Actually a role in Keycloak is a group in jBPM.
Create roles in keyCloak (desired user groups in jBPM) and assign those roles to users.
Now processes for specified User Groups (in jBPM) will be visible to users with corresponding roles in keyCloak server.
Note : You may need to create a default role user in keyCloak server that will be mapped to default jBPM user role.

Disable impersonation of a group, or for a realm within KeyCloak?

KeyCloak question for everyone.
Is it possible to disable impersonation of a group (for example, an admin group), or for a realm (the admin management console)?
Thx
You can assign impersonation role for a user from Client Roles of the realm.
Each realm has a built-in client called realm-management. This client defines client-level roles that specify permissions that can be granted to manage the realm.
You can find more on available roles from Keycloak docs
Once you remove impersonation client-level role for your realm , it is not available for all users of the realm.

Keycloak - Users in Role missing after sync with LDAP

I configured LDAP as User Federation (with role-ldap-mapper) and successfully imported users with their roles to Keycloak.
When I go to Users->{user}->Role Mappings I see every roles that are signed to a user (imported from LDAP), but when I go to Roles->{role}->Users In Role I see nothing.
Is it a bug or a feature? Or maybe I configure something wrong?
Users roles
Empty Users in Roles
LDPA Role mapper configuration
I faced the same issue. I changed the Mode (inside LDAP role mapper) to Import instead of READ_ONLY and I was able to see users under a role.
Please create mapper of type msad-lds-user-account-control-mapper.
It works for me.

Export role information from a keycloak instance

Is it possible to export the roles added to a keycloak server instance?
I have created some composite roles on a development server which I'd like to mirror across some other instances (e.g. in an integration\development) environment.
The only thing I can think of is using the Admin API to retrieve the details of the roles and use for some sort of insert script to be run in a different environment.
Is this possible?
Keycloak 3.2.0.Final and later has a "Export" menu item in its admin console. There you can export groups and roles (global and client roles) to a JSON file.