Keycloak, Flowable and OpenLDAP

I’ve managed to get Keycloak to work with Flowable and OpenLDAP.

See: Keycloak, Flowable and OpenLDAP (for screen shots, etc.) I’m a new user and can only include one screen shot in a post :frowning:

I created a User Federation to OpenLDAP. I unchecked ‘Import Users’ because I don’t want to import users from OpenLDAP. I selected ‘Edit Mode: WRITABLE’ and checked ‘Sync Registrations’ so that user registrations will be created in OpenLDAP.

Note: My Keycloak client is an Angular PWA that uses Authorization Code Flow with PKCE.

There are default LDAP mappers for username, first name, last name, email, creation date and modify date.

I created an LDAP mapper for the ‘password’ (User Model Attribute):

The attribute (userPassword) is created in OpenLDAP, however, the value is not set correctly. If I check the ‘Is Binary Attribute’ and then click ‘Save’, I receive the following error:

**Error!**  With Binary attribute enabled, the 'Always read value from LDAP' must be enabled too

If I change the User Model Attribute to ‘lastName’. The userPassword attribute is set (to the user’s last name) correctly in OpenLDAP (see below, re plain text password).

I can set the password using the Admin CLI: set-password -r development --username abby.lee --new-password NoMoreSecrets

And the value (userPassword) is set correctly in OpenLDAP.

Related Issues

KEYCLOAK-5383: Creating a federated user via REST API creates an incorrect entry in the CREDENTIAL table

Stian Thorgersen: Yes, since EditMode is “WRITABLE”, the credential should be written to LDAP. The credential should be saved into DB just if LDAP provider editMode is “UNSYNCED” . So this looks like valid bug."

Marian Rainer-Harbach: … It will only work with plain text password and not if you pass a hashed password.

I raised the following issue (KEYCLOAK-12610): Creating a Federated User does not write the password to LDAP

Note: This issue (KEYCLOAK-12610) has been closed as it is a duplicate of Regression in CredentialInputUpdater handling (also broken LDAP password update)