Behavior of user federation

I am configuring user federation in keycloak with LDAP. It works but it seems that the ldap server is queried too often and this causes overload of ldap server .

I have found here

that
“The way it works is that when a user logs in, Keycloak will look into its own internal user store to find the user. If it can’t find it there it will iterate over every User Storage provider you have configured for the realm until it finds a match”

when a specific existing keycloak user is queried by userid , ldap is not triggered

but searches like the following

userid=$(curl --noproxy ‘’ -k -H “Authorization: bearer $token” “https://${SERVICE_IP}:${PORT}/auth/admin/realms/master/users?username=$USER” | awk -F’[,:]’ '/“id”:.?[^\]"/{print $2; exit}’ | tr -d ‘"’)
#curl --noproxy ‘*’ -k -H “Authorization: bearer $token” “https://${SERVICE_IP}:${PORT}/auth/admin/realms/master/users?username=$USER”

creates the following logs on LDAP

63454043 conn=3925 fd=12 ACCEPT from IP=192.168.7.146:57798 (IP=0.0.0.0:389)
63454043 conn=3925 op=0 BIND dn=“cn=admin,dc=example,dc=org” method=128
63454043 conn=3925 op=0 BIND dn=“cn=admin,dc=example,dc=org” mech=SIMPLE ssf=0
63454043 conn=3925 op=0 RESULT tag=97 err=0 text=
63454043 conn=3925 op=1 SRCH base=“dc=example,dc=org” scope=1 deref=3 filter=“(&(cn=user10)(objectClass=person)(objectClass=organizationalPerson))”
63454043 conn=3925 op=1 SRCH attr=mail uidNumber cn sn objectclass modifyTimestamp createTimestamp
63454043 <= mdb_equality_candidates: (cn) not indexed
63454043 conn=3925 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
63454044 conn=3926 fd=14 ACCEPT from IP=192.168.171.8:56260 (IP=0.0.0.0:389)
63454044 conn=3926 fd=14 closed (connection lost)

i have changed several user federation configuration paramaters (Edit Mode , Cache Policy) and nothing made a difference. I am using keycloak version 17.0.1

Is this by design , or is it a bug ? Is there a way to configure user federation so as to be cached and triggered only when cache expires (one a day) ? In theory that is something that should be achieved by configuring “Cache Settings” → “Evict Daily”

I suggest to configure the federation to import, and add a regular sync of changes. You will see a small hit when the sync happens, but all other searches should be performed by the database.

i have enabled “Periodic Full Sync” but still i get requests towards LDAP server