New groups not synced to LDAP

In keycloak if I create or delete a group, everything appears to work fine (an no errors are logged out in the keyCloak console). However, these changes don’t ever seem to sync with LDAP. Direct LDAP queries don’t show these new changes, and asking keycloak to “synchronise changed users” (in the “user federator” area) causes the changes to be reverted to what LDAP had stored, effectively undoing all changes to groups.

In the group mapper page, I am able to push the “Sync Keycloak Groups To LDAP” button. If I add a group and push this button, it’ll first give the error in the keycloak console “Uncaught server error: org.keycloak.models.ModelException: Could not retrieve identifier for entry [cn=,ou=Groups,dc=,dc=com].”, and then if I push the button a second time, it’ll work and sync the groups to LDAP. If I delete a group then push the button, it just works the first time. So, this is a valid workaround, but it’s not ideal for us to have to train people to push this button whenever they create/delete groups, and to ignore errors that pop up.

Here’s how our group mapper is configured:

And if I query for a group in LDAP, here’s how it looks like:

dn: cn=exampleGroup,ou=Groups,dc=searchappliance,dc=com
objectClass: groupOfNames
objectClass: top
cn: exampleGroup
member: cn=empty-membership-placeholder
member: uid=exampleuser,ou=People,dc=searchappliance,dc=com

I’m running keycloak version 17

I did find out that after creating a new group, if you attempt to add a user to that group, keycloak will give back an error but will also auto-sync the group to LDAP. Then, you can attempt to add the user to the group a second time and it’ll work.

Not sure if that helps to narrow down the issue at all.

This behavior is just so weird to me - it feels like a bug, but I can’t understand how a bug so large would exist in such a core feature, a.k.a. simply auto-syncing groups to LDAP.

We eventually found this github issue filed over a year ago, detailing this exact issue I was running into, and it seems there’s been no traction on it. This is a little telling - I guess “sync with LDAP” isn’t a very core feature of keycloak, if they’re ok with half the sync being broken for more than a year.

On our end, we decided that it wouldn’t be smart to continue relying on keycloak + LDAP when support for LDAP sync is apparently this low. Instead, we’ll be dropping our LDAP database entirely and store all of our users and groups inside of the keycloak internal database.

Your issue in caused by Keycloak default behavior when creating a group:

  • It will first try to create the group with a placeholder user. For your version, it’s an account with an empty cn, for my version (24.0.4) it’s cn=empty-membership-placeholder
  • As the placeholder user does not exist or is empty, it creates an error but the group is still created
  • When, clicking a second time, the user is added to the group by replacing the placeholder

I encountered the same issue and I haven’t find a solution yet.

This behavior is caused by the default of LDAP protocoll, i guess.

LDAP Survival Guide - Evolveum Docs

There are different LDAP families. Some of them support empty groups and some of them don’t. Check out the artictle to get a deeper understanding of this.