From b7d3c8eb8bf7965d31814c29ae822d8e1e75bd82 Mon Sep 17 00:00:00 2001
From: sguilhen <sguilhen@redhat.com>
Date: Mon, 7 Jul 2025 10:41:23 -0300
Subject: [PATCH] Forward isMemberOf call to the next delegate if the group is
 not managed by the mapper instance

Closes #40680

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
---
 .../mappers/membership/group/GroupLDAPStorageMapper.java    | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/membership/group/GroupLDAPStorageMapper.java b/federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/membership/group/GroupLDAPStorageMapper.java
index f0cab4bfa4f..0be056b35bb 100644
--- a/federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/membership/group/GroupLDAPStorageMapper.java
+++ b/federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/membership/group/GroupLDAPStorageMapper.java
@@ -767,7 +767,11 @@ public class GroupLDAPStorageMapper extends AbstractLDAPStorageMapper implements
 
         @Override
         public boolean isMemberOf(GroupModel group) {
-            return isGroupInGroupPath(realm, group) && RoleUtils.isDirectMember(getGroupsStream(),group);
+            if (!isGroupInGroupPath(realm, group)) {
+                // this mapper doesn't manage the group - delegate to the next mapper or the JPA store.
+                return super.isMemberOf(group);
+            }
+            return RoleUtils.isDirectMember(getGroupsStream(),group);
         }
 
         protected Stream<GroupModel> getLDAPGroupMappingsConverted() {