Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Ability to lock LDAP-backed group attribute keys for synchronization in LDAP_ONLY mode #45296

New issue
New issue
Open
feature
Open
Ability to lock LDAP-backed group attribute keys for synchronization in LDAP_ONLY mode#45296
feature
Labels
area/ldapkind/featureCategorizes a PR related to a new featureteam/core-iam
Milestone
Future
@stianst

Description

@stianst
stianst
opened on Jan 9, 2026

Description

There's an odd behavior with Keycloak when using a LDAP group mapper to synchronize attributes.
When using the LDAP_ONLY mode, the group attributes are correctly imported into the Keycloak DB. However, if we add a custom group attribute (or modify an existing group attribute) directly in Keycloak, and which attribute does not conform to the LDAP schema, then this change is persisted in the Keycloak database after the synchronization.
This creates a discrepancy and results in a mismatch between the Keycloak DB and the LDAP, since the LDAP server does not accept the created or modified attribute.

For now, Group attributes are only written to LDAP if they are explicitly mapped in the group mapper (i.e., included in the Mapped Group Attributes list).
An administrator can update a group attribute that was imported from LDAP when managing a group. The value will be updated in the local database. However, if that attribute can not be modified in LDAP, for instance, the sync will fail, and the attribute value won't change in LDAP. Therefore leading inconsistencies between the Keycloak database and LDAP.

If changing the name/key of an attribute leads to an undefined behavior, then the user should be prevented from doing so.
So we need to provide an option for preventing the creation of non-LDAP-backed attributes or at least to lock the LDAP-backed attributes keys directly for a stricter control.

Value Proposition

Prevent groups in the local database from having attributes other than those defined in the LDAP
Data consistency by avoiding or minimizing the discrepancy between Keycloak (DB) and the LDAP

Goals

  • Add a switch to the LDAP Group Mapper to enable/disable managing group attributes through Keycloak. This setting will apply only to the attributes defined in the Mapped Group Attributes setting.
  • This setting will allow backward compatibility for those users relying on the existing behavior.
  • Add validations when managing group attributes based on the aforementioned setting, so that "mapped" group attributes can only be managed if the switch is enabled.
  • If the switch is enabled, we should also make sure that a "mapped" group attribute can be successfully updated in LDAP to prevent updating the value in the local database but failing to do so during a sync.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/ldapkind/featureCategorizes a PR related to a new featureteam/core-iam

    Type

    feature

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions