Fix docs to also mention roles

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>

Closes #28569

Signed-off-by: Jakob Overrein <jakob.overrein@basefarm-orange.com>

docs/documentation/server_admin/topics/user-federation/ldap.adoc

@@ -82,7 +82,7 @@ Remove users from the local database if they are not available from the user sto
 Relative User Creation DN::
 Relative DN from the `Users DN` where new users will be created. This allows users to be created in a sub-DN of the parent `Users DN` when using a `subtree` search scope. For example, if the `Users DN` is set to `ou=people,dc=myorg,dc=com` and the `Relative User Creation DN` is set to `ou=engineering`, users will be fetched from the `Users DN` and all sub-DNs, but new users will be stored in `ou=engineering,ou=people,dc=myorg,dc=com`. In other words, {project_name} concatenates the `Relative User Creation DN` with the `Users DN` (a comma is added automatically when concatenating the DNs) and uses this resulting DN to store users
 
-A similar property is also present in the `Group Mapper`, allowing groups to be added to a sub-DN of the `LDAP Groups DN` that is used to search for the groups.
+A similar property is also available in the group and role mappers, allowing groups and roles to be added to a sub-DN of the base DN that is used to search for the groups/roles.
 
 Other options::
 Hover the mouse pointer over the tooltips in the Admin Console to see more details about these options.

docs/documentation/upgrading/topics/changes/changes-26_2_0.adoc

@@ -48,8 +48,8 @@ If your deployment scripts add explicit NetworkPolicies for {project_name}, you
 
 Read more about this in the https://www.keycloak.org/operator/advanced-configuration[Operator Advanced configuration].
 
-=== LDAP provider now can store new users/groups in a sub-DN of the base DN
+=== LDAP provider now can store new users, groups, and roles in a sub-DN of the base DN
 
-When adding new users and groups, the LDAP provider would always store them in the same DN configured for the searches. But in some deployments, admins want to configure a broader DN with `subtree` scope to fetch users from multiple sub-DNs, but they don't want new users or groups to be stored in this base DN in LDAP. Instead, they would like to chose one of the sub-DNs for that.
+When adding new users, groups, or roles, the LDAP provider would always store them in the same base DN configured for the searches. However, in some deployments admins may want to configure a broader DN with `subtree` scope to fetch users (or groups/roles) from multiple sub-DNs, but they don't want new users (or groups/roles) to be stored in this base DN in LDAP. Instead, they would like to chose one of the sub-DNs for that.
 
-It is now possible to control where new users/groups will be created using the new `Relative User Creation DN` config option in the LDAP provider and also in the LDAP group mapper. For more details, check the link:{adminguide_link}#_ldap[LDAP admin guide]
+It is now possible to control where new users, groups, or roles will be created using the new `Relative User Creation DN` config option in the LDAP provider and also in the LDAP group and role mappers. For more details, check the link:{adminguide_link}#_ldap[LDAP admin guide]

federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/membership/role/RoleMapperConfig.java

@@ -70,7 +70,8 @@ public class RoleMapperConfig extends CommonLDAPGroupMapperConfig {
     public String getRelativeCreateDn() {
         String relativeCreateDn = mapperModel.getConfig().getFirst(ROLES_RELATIVE_CREATE_DN);
         if(relativeCreateDn != null) {
-            return relativeCreateDn + ",";
+            relativeCreateDn = relativeCreateDn.trim();
+            return relativeCreateDn.endsWith(",") ? relativeCreateDn : relativeCreateDn + ",";
         }
         return "";
     }