I’m currently trying to figure out whether user federation is suitable for my use case.
It looks like this:
Users can freely register and should only be stored in the keycloak database.
There is an initial set of users which should be imported from ldap and synchronized into groups if necessary.
Now it can happen that an existing (registred) account is added to ldap or at some point removed from ldap.
In these cases the group mappings should be updated accordingly but the user in keycloak should not be deleted.
In a small test I tried to register a user first and then enable ldap synchronization (with and intended collision), which yields the following error:
User with ID '00a8c928-97be-1037-9a8e-e5c6150c1234' is not updated during sync as he already exists in Keycloak database but is not linked to federation provider 'ldap'
In theory this fits my use case as users should not be simply synchronized by nickname. However, is there a way to later link it to the federation provider?
Setting the LDAP_ID or LDAP_ENTRY_DN manually is rejected as these attributes are internal.