New groups not synced to LDAP

In keycloak if I create or delete a group, everything appears to work fine (an no errors are logged out in the keyCloak console). However, these changes don’t ever seem to sync with LDAP. Direct LDAP queries don’t show these new changes, and asking keycloak to “synchronise changed users” (in the “user federator” area) causes the changes to be reverted to what LDAP had stored, effectively undoing all changes to groups.

In the group mapper page, I am able to push the “Sync Keycloak Groups To LDAP” button. If I add a group and push this button, it’ll first give the error in the keycloak console “Uncaught server error: org.keycloak.models.ModelException: Could not retrieve identifier for entry [cn=,ou=Groups,dc=,dc=com].”, and then if I push the button a second time, it’ll work and sync the groups to LDAP. If I delete a group then push the button, it just works the first time. So, this is a valid workaround, but it’s not ideal for us to have to train people to push this button whenever they create/delete groups, and to ignore errors that pop up.

Here’s how our group mapper is configured:

And if I query for a group in LDAP, here’s how it looks like:

dn: cn=exampleGroup,ou=Groups,dc=searchappliance,dc=com
objectClass: groupOfNames
objectClass: top
cn: exampleGroup
member: cn=empty-membership-placeholder
member: uid=exampleuser,ou=People,dc=searchappliance,dc=com

I’m running keycloak version 17

I did find out that after creating a new group, if you attempt to add a user to that group, keycloak will give back an error but will also auto-sync the group to LDAP. Then, you can attempt to add the user to the group a second time and it’ll work.

Not sure if that helps to narrow down the issue at all.

This behavior is just so weird to me - it feels like a bug, but I can’t understand how a bug so large would exist in such a core feature, a.k.a. simply auto-syncing groups to LDAP.