CODEWITHSUNDEEP
ldapkeycloakkeycloak-serviceskeycloak-rest-api
Arshak Ahamed
Arshak Ahamed

Reputation: 113

Keycloak LDAP Sync: Existing Keycloak User Not Linking to New LDAP User with Same Username

I’m facing an issue with Keycloak LDAP integration related to user synchronization. The LDAP sync works fine when a user only exists in LDAP—Keycloak automatically creates the user upon sync. However, when a user already exists in Keycloak and I later create the same user in LDAP (with the same username), Keycloak refuses to link or sync the LDAP user to the existing Keycloak user.

Scenario:

  1. LDAP Integration is set up and sync works properly for new users. 2.If Keycloak doesn’t have the user and I sync from LDAP, Keycloak creates the user as expected. 3.Problem:

What I’ve Tried:**

Checked attribute mapping:

Ensured that sAMAccountName is mapped to username:Set UUID LDAP Attribute to sAMAccountName instead of objectGUID. Database-level linking attempts:

Tried updating the federation_link in the user_entity table:Attempted to insert entries into the federated_user table, but Keycloak still doesn’t recognize the link. Permissions Check:

Verified that the Keycloak DB user has full permissions on all relevant tables (user_entity, federated_user, user_federation_provider).

  1. I want Keycloak to link or sync the LDAP user to the existing Keycloak user without deleting the user from Keycloak.
  2. If Keycloak can’t link automatically, is there a recommended way to manually link the users without causing conflicts during sync?
  3. Alternatively, is there a way to configure Keycloak to allow syncing based on the username or email when the user already exists in Keycloak?

Upvotes: 0

Views: 63

Answers (0)

Related Questions