Keycloak - Users in Role missing after sync with LDAP - keycloak

I configured LDAP as User Federation (with role-ldap-mapper) and successfully imported users with their roles to Keycloak.
When I go to Users->{user}->Role Mappings I see every roles that are signed to a user (imported from LDAP), but when I go to Roles->{role}->Users In Role I see nothing.
Is it a bug or a feature? Or maybe I configure something wrong?
Users roles
Empty Users in Roles
LDPA Role mapper configuration

I faced the same issue. I changed the Mode (inside LDAP role mapper) to Import instead of READ_ONLY and I was able to see users under a role.

Please create mapper of type msad-lds-user-account-control-mapper.
It works for me.

Related

Keycloak - restrict the access to the admin console

Is there any way to restrict the access to the keycloak admin console at the level of groups or user roles? The way of restriction by ip (and undertow filter to block external access), unfortunately, does not quite suit me. I will be very grateful for any advice!
I tried to create roles for security-admin-console and realm-management clients, but it didn't work, all the users still have access to admin console.
It turned out, that the problem was because of realms' default groups. I checked them out and there was admin role by default in all the realms' default groups. For this reason, all imported from a third-party idp users had the admin role by default and had access to the admin console.

Keycloak - all created users have admin Effective Role

I'm trying to create a user in Keycloak admin console, but it has effective roles that should not be there. In addition to default realm roles, each user, when created, has odd Effective Roles. And I can't understand, where they come from. Even when I delete all assigned roles, effective roles just stay there.
This does not happen usually, seems like a problem with your Keycloak setup and installation.
Have you checked the default roles at realm level? Roles shown in screenshot belong to realm-management client.
If you are using master realm, I'd suggest you to create a new realm other than master and use it.

GET Project Roles returns all roles from the account

when using https://forge.autodesk.com/en/docs/bim360/v1/reference/http/projects-project_id-industry_roles-GET/
I seem to get all roles from the account, not just project specific roles.
I tested by using a project ID of a project that has no roles, but I still get all the roles created in account admin. I'm using 2leg auth.
Any ideas on how to get only project specific roles? Thanks.

How to link / export existing Keycloak user to LDAP

I'm using Keycloak and just setup some OpenLDAP. Importing from LDAP to Keycloak works fine. Even new registrations and updates to users are synced nicely. But I can't find any way to:
a) Export existing Keycloak users to LDAP
b) Linking existing Keycloak users to existing LDAP users
when users already exist in Keycloak, during import I get the following error:
23:56:39,507 WARN
[org.keycloak.storage.ldap.LDAPStorageProviderFactory] (default
task-22) User 'foo' is not updated during sync as he already exists in
Keycloak database but is not linked to federation provider 'ldap'
Any Ideas? Did I missed something obvious?
To send users to LDAP please try to use options "Edit mode: Writable" and "Sync Registrations: ON" on ldap configuration page in Keycloak (User Federation->Ldap).

Export role information from a keycloak instance

Is it possible to export the roles added to a keycloak server instance?
I have created some composite roles on a development server which I'd like to mirror across some other instances (e.g. in an integration\development) environment.
The only thing I can think of is using the Admin API to retrieve the details of the roles and use for some sort of insert script to be run in a different environment.
Is this possible?
Keycloak 3.2.0.Final and later has a "Export" menu item in its admin console. There you can export groups and roles (global and client roles) to a JSON file.