Cannot use memberOf in User LDAP filter

[mmelvin0]

Before reporting an issue

• I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

ldap

Describe the bug

In LDAP user federation, I cannot get memberOf to work at all for an LDAP User filter, although every other filter I've attempted has worked as expected.

The filter I cannot get to work is simply: (memberOf=cn=keycloak-users,ou=groups,o=home). The same (or different group cn) works fine with ldapsearch and many other packages (Postfix, Nextcloud, Dovecot, saslauthd, Grafana, PostgreSQL, Clickhouse, etc.)

I've also tried more complicated variations and many other filters, and AFAICT it's just any user filter that references the memberOf attribute just returns zero results. Further confounding me is the fact that the roles and groups mappers work fine for me using either LOAD_(GROUPS|ROLES)_BY_MEMBER_ATTRIBUTE or GET_(GROUPS|ROLES)_FROM_USER_MEMBEROF_ATTRIBUTE.

I'm running Keycloak 23.0.4, OpenLDAP 2.6.6 w/dynlist overlay and rfc2307bis (e.g. groupOfMembers) schema for group resolution.

My user LDIF looks like:

dn: uid=mike,ou=users,o=home
objectClass: inetOrgPerson
uid: mike
memberOf: cn=keycloak-users,ou=groups,o=home

My group LDIF looks like:

dn: cn=keycloak-users,ou=groups,o=home
objectClass: groupOfMembers
cn: keycloak-users
member: uid=mike,ou=users,o=home

My Keycloak LDAP config looks like:

"config": {
  "authType": ["simple"],
  "bindCredential": ["REDACTED"],
  "bindDn": ["REDACTED"],
  "cachePolicy": ["NO_CACHE"],
  "changedSyncPeriod": ["86400"],
  "connectionPooling": ["true"],
  "connectionUrl": ["ldaps://ldap.example.com"],
  "editMode": ["READ_ONLY"],
  "enabled": ["true"],
  "fullSyncPeriod": ["604800"],
  "importEnabled": ["true"],
  "rdnLDAPAttribute": ["uid"],
  "syncRegistrations": ["false"],
  "trustEmail": ["true"],
  "usernameLDAPAttribute": ["uid"],
  "userObjectClasses": ["*"],
  "usersDn": ["ou=users,o=home"],
  "uuidLDAPAttribute": ["uid"],
  "vendor": ["other"]
}

Version

23.0.4

Expected behavior

Can filter LDAP users by memberOf.

Actual behavior

Any user filter referencing memberOf returns zero results.

How to Reproduce?

Set a User LDAP filter of: (memberOf=cn=keycloak-users,ou=groups,o=home)

Replace group DN with that of a group that exists and ensure at least one user is a member of that group.

Anything else?

No response

[ahus1]

Possible similar issue: #26555

[kellenmurphy]

I too have the same issue...

(memberOf=cn=iam-all-hands,ou=Automated,ou=Groups,o=University of Virginia,c=US)

as a filter works fine in an ldapsearch and returns the members of the group, but when trying to use that in keycloak returns zero members.

[mmelvin0]

Finally figured out what is going on here.

TL;DR: this probably only affects you if you use the OpenLDAP dynlist overlay and will be fixed by turning on the "referral" option for your LDAP federation provider once #24852 lands (currently in main, not yet available in 23.0.6.)

The slapo-dynlist man page states:

All dynamic behavior is disabled when the manageDSAit control (RFC 3296) is used.

Java calls its implementation of manageDSAit ManageReferralControl, and defaults to enabling it for all LDAP searches so that it can ignore referrals. In my humble opinion, this naming and implementation (in JNDI, not Keycloak) represents a fundamental misunderstanding of the purpose of manageDSAit according to RFC 3296. However, it can likely never be fixed because it would be a subtle but major BC break in Java.

Since indirect member and all memberOf attributes in my directory are dynamic, this makes these attributes effectively invisible to Keycloak.

PR #24852 fixes this because the "referral" option removes ManageReferralControl/manageDSAit from the LDAP context, which makes JNDI behave more like basically every other existing LDAP client does by default.

Additional credit to this comment for helping me put it all together: pwm-project/pwm#610 (comment)

[sguilhen]

@mmelvin0 / @kellenmurphy have you tried this using a nightly release? If not, can you confirm it fixes the issue?

[mmelvin0]

@sguilhen I have not explicitly tested the nightly release, but I have tested both the main branch with LDAP referral "follow" option selected as of 2024-02-12 and the release/23.0 branch with env.put(Context.REFERRAL, "follow"); added here. Both resolved this issue for me.

[sguilhen]

Thanks for confirming, @mmelvin0 ! In this case I'll close this issue.

[kellenmurphy]

@sguilhen -- I was just able to confirm that nightly works for us as well. Thank you so much for this!

[sguilhen]

Thanks for confirming, @kellenmurphy !

[nix-power]

I wanted to ask whether is is a notmal behaviour:

Keycloak 24.0.4 ( running on K8S ) after chaning "referal" to "follow" AND disabling ldap pagination filter based on 'companyMemberOf' started working as expected
(icompanyemberOf=cn=Keycloak-Admins,ou=Groups,dc=company,dc=com)