When integrating OpenDJ with Keycloak, syncing LDAP groups, especially nested groups, as Keycloak groups is essential for centralized, scalable access control across applications.
Unlike OpenLDAP, OpenDJ supports nested groups natively and exposes them through the isMemberOf virtual attribute. This allows Keycloak to assign roles based on both direct and indirect group membership, without custom scripts or overlays.
Prerequisites
Before proceeding, make sure you have completed the following:
- Install OpenDJ on Ubuntu 24.04 with LDAPS via OPNsense HAProxy
- Install Keycloak with MariaDB and NGINX Reverse Proxy (SSL Termination)
- Connect OpenDJ to Keycloak
- Navigate to User Federation
- Click Add LDAP provider
- Fill in the configuration using the table below
| Section | Setting | Value |
|---|---|---|
| General Options | Display Name | OpenDJ |
| Vendor | Other | |
| Connection and Authentication | Connection URL | ldaps://ldap.maksonlee.com:636 |
| Enable StartTLS | ❌ Off | |
| Use Truststore SPI | ✅ Always | |
| Connection Pooling | ✅ On | |
| Bind Type | simple | |
| Bind DN | cn=Directory Manager | |
| Bind Credentials | (LDAP admin password) | |
| LDAP Searching and Updating | Edit Mode | ✅ WRITABLE |
| Users DN | ou=people,dc=maksonlee,dc=com | |
| User LDAP Filter | (employeeType=active) | |
| Username LDAP Attribute | uid | |
| RDN LDAP Attribute | uid | |
| UUID LDAP Attribute | entryUUID | |
| User Object Classes | inetOrgPerson | |
| Search Scope | Subtree | |
| Pagination | ✅ On | |
| Referral | ignore | |
| Synchronization | Import Users | ✅ On |
| Sync Registrations | ❌ Off | |
| Remove Invalid Users During Searches | ✅ On | |
| Periodic Full Sync | ❌ Off | |
| Periodic Changed Users Sync | ❌ Off | |
| Advanced Settings | LDAPv3 Password Modify Extension | ✅ On |
| Validate Password Policy | ❌ Off | |
| Trust Email | ✅ On |
- Create Group Mapper
After saving the LDAP provider:
- Go to User Federation > [your OpenDJ provider] > Mappers > Add mapper
Fill in the mapper settings:
| Field | Value |
|---|---|
| Name | ldap-groups |
| Mapper Type | group-ldap-mapper |
| LDAP Groups DN | ou=groups,dc=maksonlee,dc=com |
| Relative Creation DN | (leave empty) |
| Group Name LDAP Attribute | cn |
| Group Object Classes | groupOfNames |
| Preserve Group Inheritance | On |
| Membership LDAP Attribute | member |
| Membership Attribute Type | DN |
| Membership User LDAP Attribute | uid |
| LDAP Filter | (objectClass=groupOfNames) |
| Mode | READ_ONLY |
| User Groups Retrieve Strategy | GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE |
| Member-Of LDAP Attribute | isMemberOf |
- Sync Users from OpenDJ
After saving the mapper, click the Action button on the right, then select Sync LDAP groups to Keycloak.