Before reporting an issue

• I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

ldap

Describe the bug

We have encountered a security issue with syncing LDAP groupOfNames entities to Keycloak roles with role-ldap-mapper. We have created simplest scenario that you could use to reproduce.

Issue occurs when we try to sync users that has memberOf attribute with some value outside the role DN. Using simply cn=test would lead to assigning all roles that are synced from LDAP.

Version

26.3.2

Regression

• The issue is a regression

Expected behavior

We have encountered a security issue with syncing LDAP groupOfNames entities to Keycloak roles with role-ldap-mapper. We have created simplest scenario that you could use to reproduce.

Issue occurs when we try to sync users that has memberOf attribute with some value outside the role DN. Using simply cn=test would lead to assigning all roles that are synced from LDAP.

Actual behavior

Do not fetch roles (and groups) if memberOf value is empty of values are using a baseDN other than the base DN configured in the role/group mapper.

How to Reproduce?

Issue occurs when we try to sync users that has memberOf attribute with some value outside the role DN. Using simply cn=test would lead to assigning all roles that are synced from LDAP.

Anything else?

No response