How to store “User Enabled” in LDAP with mappers


I like to store the user.enabled attribute in the LDAP (openldap). All I want to know in LDAP is the state of the user in Keycloak. I tried to map the enabled field to a tekst property in LDAP. That works…it stores the text ‘false’ on create, but get never updated (I expected ‘true’ for enabled accounts).

I have the feeling that i’m on the wrong track. What is the best way to track the user object state in openldap?

Did you enabled the Setting in the LDAP User Federation?
There is an Option within the Sync Settings for periodic Sync of changes.
I hope that it helped you otherwise leave another reply.

Kind regards.

I did now… here are my observations.

The field enabled is updated from ldap to keycloack. That is great. This means that disabled user in ldap will be disabled in keycloack after sync.
Now here is the problem when I change the user enabled state in keycloack, that is never saved in ldap.
This means that a disabled user in keycloak, wil be enabled again after sync.

That is true, as it gets the values out of the LDAP and reactivates the User as long as the User is active in the LDAP Directory.
The only Management is then the LDAP to activate/deactivate the Users.

Sorta late to the conversation here, but I’m in the same situation. Is there any way to make Keycloak sync it’s value for enabled to LDAP? It would be much more convenient when enabling or disabling users. Sorta like it does for the First name, last name, or email attributes

Hi Ryan,
No there is not (or at least… I did not found any way).

I wrote a custom script, that syncs custom values from the Keycloak DB (in my case MySQL) to LDAP. The script runs on record change. Feels kind of hacky, but it does the job. The script is too custom to share… This is just to give you an idea how I solved it.

I can confirm, so far there is no solution to sync back the activation/deactivation of any Account from Keycloak to the LDAP Object/User. So there is no change since my last reply

Hello, FransvanderMeer, how are you?

we are investigating how to disable users in Keycloak based on LDAP info. We saw your comment and we think you maybe could tell us how did you manage to a disabled user in LDAP is disabled in Keycloak after the sync.

Thank you and best regards