Keycloak & Active Directory Integration : Filtering and Importing Users from Certain Groups
Active Directory has the ability to assign users, computers and to certain groups to make managing them more efficient.
we can get the full benefit of the above said groups when importing users from Keycloak since LDAP allows to only import users of a certain group as federated users by using a Custom User LDAP filter.
This article assumes that you have a working LDAP connection to your active directory in Keycloak as a User Federation. If you do not, check out here first.
If we do not want to filter users by their groups, we can leave the ‘Custom User LDAP Filter’ field in the User Federation window empty like shown below. By leaving it empty, all users under the Users DN gets imported.
If we provide a Custom User LDAP Filter like shown below. we can Import only users of a certain group .
Now let’s look at the string closely.
(&(objectCategory=Person)(sAMAccountName=*)(memberOf=cn=mygroup,cn=users,dc=chain,dc=demo))
‘ & ’ indicates the logical AND operator. It allows to use multiple filters in the same string.
(objectCategory=Person) queries user objects and contact objects.
(sAMAccountName=*) return all types of users because sAMAccountName specifies user type(for an example, whether disabled or not) and the ‘ * ’ is the all operator.
(memberOf=cn=mygroup,cn=users,dc=chain,dc=demo) is the group name of the group named ‘mygroup’ in the primary group users group in the domain ‘chain.demo’.
You can refer here for standards of the LDAP custom filters. This also might be a good place to look up widely used custom LDAP filters.
Testing
We need a custom user group in the active directory to test import. We will create a group named ‘mygroup’ in active directory.
- Open Active Directory Users and Computers in Tools context menu.
2. Click new group icon in the toolbar.
3. Choose the group name, keep default selections and click OK.
Now we will also create two new users with names ‘john doe’ and ‘jane doe’ in Active Directory.
4. Click new user icon in the toolbar.
5. Add user ‘jane doe’ and set the user logon name. You’ll have to set a password too.
6. Repeat process for another user named ‘john doe’.
And now we will assign jane to the newly created user group ‘mygroup’.
7. Select Jane Doe from the list of users and double click to edit user.
8. In jane doe’s properties, navigate to the tab ‘Member Of’ and click “Add” button. Type the group name and click Check Names button. The group name will be underlined if such group exists. Click OK.
Now we can see that jane doe is a member of the group ‘mygroup’.
Now when we go back to keycloak and import users again, as we can see, only the newly created user ‘jane doe’ from user group ‘mygroup’ is imported from Active Directory through LDAP.
