Description
Before reporting an issue
- I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
ldap
Describe the bug
When an LDAP group is renamed (CN change) or moved to a different OU in OpenLDAP, Keycloak configured with a group-ldap-mapper incorrectly treats the group as deleted and creates a new group.
As a result, all previously assigned members and realm/client roles on the original group are lost.
Version
26.2.5
Regression
- The issue is a regression
Expected behavior
Keycloak should detect that the group’s entryUUID has not changed, update the group’s DN and name in place, and preserve all prior member assignments and role mappings, maintaining group inheritance.
Actual behavior
The original group is removed from Keycloak (memberships and roles disappear).
A new group is created without any members or roles.
How to Reproduce?
Configure Keycloak with an OpenLDAP provider and group-ldap-mapper using settings above.
Run Full Sync of LDAP groups.
Verify that groups from LDAP appear in Keycloak.
Open any imported group in Keycloak and assign members, create subgroups, or assign roles.
In OpenLDAP, rename the group’s CN (e.g., change cn=MyGroup to cn=MyRenamedGroup).
In Keycloak, run Full Sync of LDAP groups again.
In Keycloak, observe that the original group has disappeared and a new, empty group with a different internal ID has been created.
Anything else?
No response