Keycloak and nested groups

AlteSockenSuppe · February 20, 2023, 4:16pm

Hi all,

I successfully installed and set up Keycloak as the new SSO provider via univention-app.

I then quickly noticed that nested groups from the LDAP are not resolved.

group: all < group: all.ch < group: all.ch.basel < user: maxmuster

In the OIDC token you see only contain the group all.ch.basel

          'groups' => [
                        '/Domain Users',
                        '/all.ch.basel'
                      ],

Is it possible to get the keycloak to resolve the nested groups correctly?
The memberOf in the user object can only list the direct groups, so it doesn’t help me either.

Greez
AlteSocke

AlteSockenSuppe · February 24, 2023, 8:35am

I guess I have to correct myself here.

group: all < group: all.ch < group: all.ch.basel < user: maxmuster

seems to work.

However, we have the following scenario which does not work.

group: access-app1 < group: all < group: all.ch < group: all.ch.basel < user: maxmuster
group: access-app2 < group: all < group: all.ch < group: all.ch.basel < user: maxmuster

Greez
AlteSocke

AlteSockenSuppe · March 6, 2023, 1:25pm

https://forge.univention.org/bugzilla/show_bug.cgi?id=55787

AlteSockenSuppe · June 7, 2023, 7:26am

A question for Univention:

If you use keycloak as a new SSO provider, but it doesn’t support nested groups, how do you get the builtin group Administrators into the keycloak correctly?

This group has nested groups and failed when opened in keycloak.

TEST-root@vmadfchucs01:~# univention-ldapsearch cn=administrators
# extended LDIF
#
# LDAPv3
# base <dc=int,dc=tux42,dc=ch> (default) with scope subtree
# filter: cn=administrators
# requesting: ALL
#

# Administrators, Builtin, int.tux42.ch
dn: cn=Administrators,cn=Builtin,dc=int,dc=tux42,dc=ch
sambaGroupType: 2
cn: Administrators
objectClass: top
objectClass: univentionGroup
objectClass: posixGroup
objectClass: univentionObject
objectClass: sambaGroupMapping
description: Administrators have complete and unrestricted access to the computer/domain
sambaSID: S-1-5-32-544
gidNumber: 5054
univentionObjectType: groups/group
univentionGroupType: -2147483643
memberUid: Administrator
memberUid: api-user
uniqueMember: uid=administrator,cn=users,dc=int,dc=tux42,dc=ch
uniqueMember: cn=domain admins,cn=groups,dc=int,dc=tux42,dc=ch
uniqueMember: cn=enterprise admins,cn=groups,dc=int,dc=tux42,dc=ch
uniqueMember: uid=api-user,cn=users,ou=internal,dc=int,dc=tux42,dc=ch

Best thanks for the answer
Greez
AlteSocke