+
Skip to content

Support synchronization of LDAP groups with the same cn but different parent OUs #40675

Open
@ykitkevich-exadel

Description

@ykitkevich-exadel

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

ldap

Describe the bug

When an LDAP group is renamed (CN change) or moved to a different OU in OpenLDAP, Keycloak configured with a group-ldap-mapper incorrectly treats the group as deleted and creates a new group.
As a result, all previously assigned members and realm/client roles on the original group are lost.

Version

26.2.5

Regression

  • The issue is a regression

Expected behavior

Keycloak should detect that the group’s entryUUID has not changed, update the group’s DN and name in place, and preserve all prior member assignments and role mappings, maintaining group inheritance.

Actual behavior

The original group is removed from Keycloak (memberships and roles disappear).
A new group is created without any members or roles.

How to Reproduce?

Configure Keycloak with an OpenLDAP provider and group-ldap-mapper using settings above.

Image Image Image Image Image

Run Full Sync of LDAP groups.
Verify that groups from LDAP appear in Keycloak.
Open any imported group in Keycloak and assign members, create subgroups, or assign roles.
In OpenLDAP, rename the group’s CN (e.g., change cn=MyGroup to cn=MyRenamedGroup).
In Keycloak, run Full Sync of LDAP groups again.
In Keycloak, observe that the original group has disappeared and a new, empty group with a different internal ID has been created.

Anything else?

No response

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions

      点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载