Per default the Keycloak app only synchronizes groups that are located beneath cn=groups,$(ucr get ldap/base). To also sync groups from other OUs you can edit the group mapper called univention-groups in the Keycloak Admin Console.

Steps

1. Navigate to User federation → ldap-provider → Mappers → univention-groups
2. Put the base DN in the field LDAP Groups DN
3. Adjust the filtering in the field LDAP Filter

Optional

If you want to make sure that groups that are deleted from the LDAP are also dropped from Keycloak, make sure to set the option Drop non-existing groups during sync to On.

Video Explanation

You can right-click the video and open it in a new browser tab to get a bigger view.

This topic was automatically closed after 24 hours. New replies are no longer allowed.