From 81bfcbb4e88ab281e63aa7d763d8fbcda69ab433 Mon Sep 17 00:00:00 2001 From: Dominic R Date: Fri, 17 Apr 2026 08:33:29 -0400 Subject: [PATCH] website/docs: clarify LDAP group attribute mappings (#21649) * website/docs: clarify LDAP group attribute mappings Explain that LDAP source property mappings can be assigned to groups, add an example for copying a custom LDAP group attribute into authentik group attributes, and note how to decode JSON-encoded values. Closes: https://github.com/goauthentik/authentik/issues/5874 * Update website/docs/users-sources/sources/protocols/ldap/index.md Co-authored-by: Dewi Roberts Signed-off-by: Dominic R * Update website/docs/users-sources/sources/protocols/ldap/index.md Co-authored-by: Dewi Roberts Signed-off-by: Dominic R --------- Signed-off-by: Dominic R Co-authored-by: Dewi Roberts --- .../sources/protocols/ldap/index.md | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/website/docs/users-sources/sources/protocols/ldap/index.md b/website/docs/users-sources/sources/protocols/ldap/index.md index e2ce60fc10..5eb2abee69 100644 --- a/website/docs/users-sources/sources/protocols/ldap/index.md +++ b/website/docs/users-sources/sources/protocols/ldap/index.md @@ -73,6 +73,33 @@ return { } ``` +The same LDAP source property mapping type is used for both users and groups. A mapping only applies to groups when you assign it under **Group Property Mappings** on the LDAP source. If you only use the built-in group property mappings, synced groups will keep the automatically populated LDAP attributes, such as `distinguishedName`, but custom LDAP attributes won't be copied unless you add your own group mapping. + +### Copy a custom LDAP group attribute + +To store a custom LDAP group attribute in authentik's group `attributes`, create an **LDAP Source Property Mapping** and assign it to **Group Property Mappings** on the source: + +```python +return { + "attributes": { + "acl": list_flatten(ldap.get("acl")), + }, +} +``` + +If your LDAP server stores the value as JSON text and you want authentik to keep it as structured data instead of a string, decode it in the mapping: + +```python +import json + +raw_acl = list_flatten(ldap.get("acl")) +return { + "attributes": { + "acl": json.loads(raw_acl) if raw_acl else None, + }, +} +``` + ### Built-in property mappings LDAP property mappings are used when you define an LDAP source. These mappings define which LDAP property maps to which authentik property. By default, the following mappings are created: