Before reporting an issue

• I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

ldap

Describe the bug

When loading the role membership from a user, all the roles that the user is memberOf and matching a potential LDAP filter should be loaded. The LDAP protocol having a theorical MaxPageSize, the RFC 2696 added the mechanism of pagination. Pagination seems to exist in some part of the codebase but not everywhere and specifically not here. As such, when we try to load of the group membership of an AD user, with the current strategy we are capped at 1000.

Version

v26 / main

Regression

• The issue is a regression

Expected behavior

The token or userinfo endpoint should reflect the entire LDAP group membership and should not be limited to MaxPageSize on Active Directory.

Actual behavior

The token / userinfo endpoint contain a maximum of 1000 entries since MaxPageSize is at 1000.

How to Reproduce?

Use the federation module with Active Directory, create a mapper that will filter (or not) a user that contains more than 1000 groups membership. Make sure to be in GET_ROLES_FROM_USER_MEMBEROF_ATTRIBUTE strategy. Emulate a query that should reflect the userinfo endpoint and you will notice a maximum of 1000 groups.

Anything else?

Caching or not does not change the behavior here. Some operations from Keycloak seems to support pagination.