Delete Roles on Keycloak when deleted from FreeIPA

[Joncheski]

Describe the bug

Hello,

I have done FreeIPA federation with Keycloak, and additionally I have put LDAP Mappers for Roles. But it doesn’t work if I delete Roles on FreeIPA, it doesn’t delete it on Keycloak side. But the same scenario happens if I delete Roles on Keycloak does not transfer to FreeIPA.

In the context of the same LDAP mapper, when a new role is added, in Client Roles, it is Available Roles, and does not go to Assigned Roles. It should be manually added to Assigned Roles. Can it be changed to go to Assigned Roles?

Keycloak Server Version - 16.1.1

LDAP mapper details: Mapper Type - role-ldap-mapper LDAP Roles DN - cn=roles,cn=accounts,dc=###,dc=### Role Name LDAP Attribute - cn Role Object Classes - groupOfNames Membership LDAP Attribute - member Membership Attribute Type - DN Membership User LDAP Attribute - uid Mode - LDAP_ONLY User Roles Retrieve Strategy - LOAD_ROLES_BY_MEMBER_ATTRIBUTE Member-Of LDAP Attribute - memberOf

Normally I do a sync. (Sync Ldap Roles To Keycloak, Synchronize all users and Synchronize changed users)

Image in attachment https://canada1.discourse-cdn.com/free1/uploads/keycloak/original/2X/0/0e626a5b929599ecdbfb06e4b6e93f1b911069ae.png

Best regards, Goce Joncheski

Version

16.1.1

Expected behavior

When Freeipa's Roles are deleted, the same Roles should also be deleted on Keycloak's side.

Actual behavior

All roles are synchronized, but if a role is deleted in FreeIPA, it is not deleted on keycloak, only roles are added.

How to Reproduce?

To replicate all Roles that are in FreeIPA. To be added and deleted depending on the situation.

Anything else?

No response

[hmlnarik]

@Joncheski Does this work correctly if you manually sync (click the "Sync" buttons)?

[Joncheski]

@hmlnarik No, even if I do the synchronization manually it doesn't work.

[hmlnarik]

Updating the roles is unfortunately not supported in the legacy LDAP, see KEYCLOAK-3923 and KEYCLOAK-4498.

Switching to a feature request.