Use ldap attribute for role-ldap-mapper role name

Question

I'm trying to sync my roles from my LDAP to keycloak. As i have objects in my Domain that share the name of my needed roles i can't use the cn as "Role Name LDAP Attribute". Instead i want to create groups with a prefix like keycloak-mygroup and omit said prefix in the keycloak roles.

If that isn't possible, i'd like to create these groups with a prefix and use another attribute of the group as a role name. The roles i want to sync, already exist in my keycloak instance.

If i try to use an attribute like description i get an error ("Violation of UNIQUE KEY constraint "UK_J3RWUVD56ONTGSUHOGM184WW2-2". A duplicate key cannot be inserted into the dbo.KEYCLOAK_ROLE object. The duplicate key value is (, default).") and if i use an attribute like distinguishedName (those roles don't exist) everything is created.

How can i use a different attribute than cn for my role names and have it sync?

Answer 1

I was able to solve this problem. The error happens if a group is missing the attribute used for the group name. Every group has to have the used attribute, otherwise the sync will fail for all groups.