I've been banging my head against the wall for two days on this one now.
I have setup fresh Keycloak and OpenLDAP instances, and I want to use OpenLDAP as the source of truth for all user data. I want to use Keycloak to create and edit users. Then, the new/modified users should be synced to OpenLDAP.
I tested this setup a while back with Keycloak v13 and it worked perfectly. Now I'm trying to put it into production with Keycloak v19 and I can't make Keycloak actually write anything to OpenLDAP. I don't even see LDAP write attempts in the Keycloak logs (cranked up to TRACE) when I create new users/groups in Keycloak.
I know the LDAP connection works because if I manually create a new group in OpenLDAP it will show up in Keycloak, but I can't get sync to work the other way.
My LDAP Setup
# Base organization
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organization
dc: example
o: Example Company
# Organizational Unit for our Users
dn: ou=Users,dc=example,dc=com
objectClass: organizationalUnit
ou: Users
# Organizational Unit for our Groups
dn: ou=Groups,dc=example,dc=com
objectClass: organizationalUnit
ou: Groups
My User Federation Setup
My Group Sync Setup
Ideas
The Sync registrations is missing in v19. So, maybe that's why it's not trying to write to the LDAP server. But, that shouldn't affect groups and I'm not seeing new groups created either.
...I'm at a loss
Any ideas why Keycloak doesn't want to write any changes to OpenLDAP?
0 Answers