Identity Cloud Governance - OpenLDAP groups (entitlements) provisioning

Hello everybody!

I’m really new to ForgeRock and I’ve been trying to setup some test data in our sandbox for a couple of days and there are still some notions that I need to understand better (or at all)… So here goes!

So I’ve been able to create my RCS and install an OpenLDAP server on it. I’ve then created my application in IDC adn finalized it’s configuration and created a couple of mappings after what I’ve been able to have IDC create my test user accounts on my LDAP server, as well as reconcile the other way around, so that I can now see my lDAP accounts under the “Linked Systems” of my test Identities… .so far so good:

Note that I had to add the “memberOf” overlay to my LDAP Server config in order to see the LDAP groups on my users, and therefore I had to modify the ldapGroups property of the User object as follows:

All that being said, When ever I want to add an LDAP group to one of my users from IDC, it just tells me that the operation is successful, but when I look in my LDAP repo, the group membership hasn’t been applied - see example below for the addition of the “acmeUsers” group to Ima Shields:

… and the group isn’t assigned (and before you ask, yes I did refresh the OU):

So… what am I missing here? Is there a specific mapping that needs to be added!? I’ve been searching and reading a lot in the last few days, but I haven’t found anything…

Thanks in advance for your help… and patience ;).


Welcome to the community!
LDAP traditionally uses memberOf as a virtual attribute of a Groups uniqueMembers so updating a user’s virtual attribute will do nothing. ForgeRock choose to represent this virtual attribute as ldapGroups which when synchronized will actually update the related group.
Since you are referencing the new Application Templates in your screen shots I will show how to accomplish assigning a group to a user in your openLDAP Target App.
Groups in target apps are considered to be entitlements which requires setting up entitlements properly. From the LDAP Application Template, Provisioning - User - Properties - click on ldapGroups
Then Constrain values for this property to be application object type Entitlement
then switch to group
Set the displayName (to cn or other attribute that is populated)
Save - then
Reconcile - Reconcile Now

This will then enable you to assign Identity Cloud Roles with ldapGroups that were reconciled

Any users with that role membership will get the ldapGroup
If you have a user that is directly assigned to the Application Template

you can edit details
and pick one of the reconciled groups

If you own Access Request you can also go to Entitlements and make the entitlement requestable for approval so role based assigned users can have additional ldapgroups assigned. This would be another question but is documented.


Hi David,

First, thank you so much for the welcoming and super detailed response, this is really, REALLY appreciated 🙂!

That said, the configs you described pretty much reflects what I did… But I figured out what was actually the issue. The problem was that in order to do an initial load of my LDAP accounts, I had created a mapping within the native IDM console from managed users to LDAP accounts… turns out that this was overwriting the mapping that’s created upon the application creation. So I deleted all my LDAP accounts, managed users as well as my application and started over, but this time I renamed the mapping for my initial load to avoid the overwrite… Boom, all good now!

Little detail from a ForgeRock newbie ;)

Again, thanks for replying and hope my answer can help someone else in the future!


1 Like