Topic
Issue:
This article shows how to build an LDAP filter using LDAP Browser to further synchronize users from the Active Directory group.
Instructions
Solution:
1. Open LDAP Browser.
2. If the connection profile is already created - skip to step 4.
3. Create a connection profile.
- Click the “New” button.
- Specify the name and click Next.
- Open Keycloak page.
- Navigate to User Federation.
- Choose the federation you need to build the LDAP filter for.
- Copy URL address from Connection URL field (without the “ldap://” prefix).
- Paste it to the Host field. For LDAPS check the Use secure connection checkbox.
- Click the Next button.
- Choose Currently logged on user radio button (Assuming that RPA service user is logged on).
- Click the Finish button.
4. Expand the connection profile.
5. Right-click on the DC which is specified in the Users DN file in Keycloak.
6. Click on the Directory Search button.
7. In the Filter file, type:
(&(objectCategory=group)(name=<GN>))
where <GN> is the name of the Active Directory group.
8. Click the Search button.
9. In the search results, right-click on the group name, click on the arrow to expand the options for Copy and select Copy DN.
10. In the same window, in the Filter field, type:
(&(objectCategory=Person)(sAMAccountName=*)(memberOf=<FullDN>))
where <FullDN> is the value copied in previous step.
11. Click the Search button again.
12. Validate if the results show the required users.
13. Copy the contents of the Filter field to the Custom User LDAP Filter field of Keycloak.
14. Make sure the Subtree search scope is selected.
15. Save the changes.
Note:
To search in more than one group, use the OR logical operator, for example:
(&(objectCategory=Person)(sAMAccountName=*)(|(memberOf=<FullDN_A>)(memberOf=<FullDN_B>)(memberOf=<FullDN_C>)))
where the FullDN_X is the DN of each group.