Per default the Keycloak app only synchronizes groups that are located beneath cn=groups,$(ucr get ldap/base). To also sync groups from other OUs you can edit the group mapper called univention-groups in the Keycloak Admin Console.

Steps

1. Navigate to User federation → ldap-provider → Mappers → univention-groups
2. Put the base DN in the field LDAP Groups DN.
   Example: dc=tierheim,dc=intranet
3. Adjust the filtering in the field LDAP Filter.
   Example: (|(cn=groups)(cn=ou-group1)(cn=ou-group2))

Optional

If you want to make sure that groups that are deleted from the LDAP are also dropped from Keycloak, make sure to set the option Drop non-existing groups during sync to On.

Video Explanation

You can right-click the video and open it in a new browser tab to get a bigger view.

This topic was automatically closed after 24 hours. New replies are no longer allowed.