Skip to main content

Add Role Mapper for LDAP Integration

23/04/2026

While configuring an LDAP integration, you need to add a mapper that will assign LDAP users to user roles in Graph Modeling.

If the users on the LDAP server are assigned to groups with names matching the names of the user roles in Graph Modeling, you can add and configure a mapper that will assign the users to the corresponding Graph Modeling user roles (see option 1 below).

If this is not the case, use the default poolparty-default-role-ldap-mapper, which will assign the LDAP users to a placeholder user role None (see option 2 below). Users with this role cannot use Graph Modeling until a Graph Modeling SuperAdmin changes their role in the Graph Modeling User Management.

Option 1: Add and configure a role mapper that will assign LDAP users to corresponding Graph Modeling user roles
Preconditions

Make sure that the Graph Modeling user roles are represented on the LDAP server as follows:

  • There is an organizational unit (instance of the organisationalUnit object class), called for example Roles (1).

  • Under this unit, there are groups (instances of a group object class) representing the individual Graph Modeling user roles (2).

  • The cn attribute of the groups matches the names of the Graph Modeling roles, for instance cn=PoolPartyUser (3).

  • Users are added to these groups via the member attribute (4).

    Add-Role-Mapper-for-LDAP-Integration.png

  1. In Keycloak, open the user federation you configured for your LDAP server. For more information, refer to Configure LDAP Integration

  2. Go to the Mappers tab.

  3. Click Add mapper.

    add-a-mapper.png

    The Add user federation mapper page opens.

  4. Type in the mapper's name.

  5. Select role-ldap-mapper as the mapper type.

  6. Configure the mapper. These are the most important fields:

    1. LDAP Roles DN: must match the base DN for the roles in LDAP (in our case ou=Roles, dc=semantic-web, dc=at).

    2. Role Name LDAP Attribute: must match the role name attribute in LDAP (in our case cn).

    3. Role Object Classes: the object class for roles, usually is groupOfNames.

    4. Membership User LDAP Attribute: must match the LDAP attribute that maps the user's username (in our case uid).

    5. Mode: must be IMPORT.

      Add-Role-Mapper-for-LDAP-Integration---option1.png

    Tip

    For more information on how to fill in a certain field, hold your pointer over the Help icon in the Keycloak UI.

  7. Confirm with Save.

    After initial synchronization, the LDAP users get created in the Graph Modeling User Management with corresponding roles coming from the LDAP server.

Option 2: Add a preconfigured role mapper that will assign LDAP users to the None user role in Graph Modeling

  1. In Keycloak, open the user federation you configured for your LDAP server. For more information, refer to Configure LDAP Integration.

  2. Go to the Mappers tab.

  3. Click Add mapper.

    add-a-mapper.png

    The Add user federation mapper page opens.

  4. Type in the mapper's name.

  5. Select poolparty-default-role-ldap-mapper as the mapper type.

  6. Confirm with Save.

    After initial synchronization, the LDAP users get created in the Graph Modeling User Management with the user role None. This role does not allow them to use Graph Modeling until a SuperAdmin changes it manually. For more information on how to do so, refer to How to Edit Existing Users

    Once a SuperAdmin changes the role of an LDAP user in the Graph Modeling User Management, their user role will not be overwritten by the None user role even if the user will be re-synchronized in Keycloak.

In this section: