Questions regarding AD User Federation (as well as a potential bug)


I have some questions regarding how Keycloak works with a user federation linked to AD. Imagine the AD as follows:

  • OU=Users
    • OU=GroupA, OU=Users
      • OU=Admins, OU=GroupA, OU=Users
      • OU=Computers, OU=GroupA, OU=Users
      • OU=ServiceAccounts, OU=GroupA, OU=Users
      • OU=Users, OU=GroupA, OU=Users
    • OU=GroupB, OU=Users
      • OU=Admins, OU=GroupB, OU=Users
      • OU=Computers, OU=GroupB, OU=Users
      • OU=ServiceAccounts, OU=GroupB, OU=Users
      • OU=Users, OU=GroupB, OU=Users

Our current users DN is set to OU=Users and we’ve noticed that upon creating a user federation we see some accounts start appearing in our realm user list (when we check with *). These are just some random users that are in our AD, usually coming from one of the Admins OUs (although I have noticed a user and a computer appearing in the list as well). This happens before clicking on the “sync users” button.

To make everything a bit clear I’m going to give an example of how my account works. When we initially create the user federation my account doesn’t appear in the list when I use * as a search term, however my account does appear if I specifically search for my account name and afterwards it also starts appearing in the * list. As you can see my browser search returns 0 results for my name

But if I then search for my own account in the user list I do find it.

Afterwards I appear in the * list (I’m not sure why my first name is my last name here but I don’t think its important).

I’m assuming this is intended behaviour where the * operator only searches for synced accounts whereas searching for a specific username searches the user federation and syncs the user if its found?

Anyway back to these random accounts, if I create a new realm and add our user federation to it a subset of objects immediately appears in the * list (these are always the same 30ish objects), clicking on one of them gives me an error “Could not find the resource that you are looking for”:
However if I then search for the account name and click on it I don’t get an error at all, instead I get the usual user details screen, afterwards the account also works when searching for * and clicking on it. So these accounts are “broken” until I do a search for them which “fixes” them.

This also has an annoying effect which is that these users cannot be deleted until I search for their account, as doing so gives me the error that the user doesn’t exist. After searching for their username they can be deleted.

One final thing I want to highlight is that the user id seems to change whenever I refresh the page. It’s pretty hard to showcase this as I have to censor our user accounts but here you can see the user starting with adm_v has a user id starting with 0b.

However if I refresh my page and search for * again the user gets a totally new user id (as well as every other user in a “broken” state).

After “fixing” their account by searching for their account name the user id stops changing.

So that leaves me with 2 questions:

  1. Why does this subset of users appear when creating an identity provider? I would expect it to either be empty (as no sync has happened) or to contain all our users (after a sync has happened). Maybe as a follow-up question why do computers also appear in this list?
  2. Why do these users not work until I specifically search for them? With everything I’ve added (users not being found, changing user ids) I think its safe to assume this is a bug of some kind?

I’m not sure if this is the best place to post these questions as I’m not sure if this is intended and/or known behavior or not, if I should post this somewhere else feel free to let me know.

Hi, wanted to post an update with some further findings.

We’re running Keycloak version 21.0.1 but we’ve been running Keycloak on this server for a few years now, so to ensure it wasn’t an issue with a faulty update or something database related I decided to run a local instance on my computer with a H2 database, however creating an LDAP user federation still leads to the same issue.

I also decided to create a new AD in a VM using the same structure as the post and containing about 5000 users spread over the different OUs. However I can’t reproduce it at all using that AD, on the testing AD all 5000 users get imported and every user I’ve clicked on works (no “broken” state requiring me to search for their username).

Something else I’ve noticed (on the real AD) is that disabling the “import users” switch correctly displays all the users in the AD and clicking on a user leads to the expected screen containing their user details.

One final thing is that even with “import users” enabled my user account (who isn’t in the user list) can still login to the realm after which I appear in the user list (same effect as searching for my user).

All of this leads me to believe something is wrong at AD level but I can’t figure out what it could be? Does anybody have any idea what the issue is here? As a follow-up question is there a way to create a LDAP user federation but not import any users at all? The intention isn’t to allow all AD users to login but only to allow those who we’ve added to the user list to login.

Kind regards,