I’m experiencing what I think is the same/similar behavior described here and here, namely that regardless of how I configured my AD federation, sync settings, cache settings, etc. it seems that every user-oriented query I execute against Keycloak’s REST API results in my Keycloak server initiating communications/querying my AD (LDAP) server. I don’t understand this behavior…if we were talking about an auth transaction I’d expect it as part of validating the password. But this is even for things like querying user info (/realms//users/username=. I’ve even gone through all the default mappers and made sure that any with a slider option for “Always Read Value From LDAP” are set to “OFF”.
Is there anyone able to explain (or simply to reference documentation) this behavior and how to reduce or eliminate these KC - AD/LDAP queries? TIA!
For future reference I’ve improved my situation a bit here. It seems Keycloak behaves differently depending on whether you’re caching AD entities (users) in the Keycloak DB…sync’ing them…or leaving them un-synced. The largest issue I was having what that when I queried the REST API for /users Keycloak appeared to iterate down each row in its users table and issues a unique LDAP query for every users associated with my AD/LDAP server. So if there are 10,000 users…10,000 queries (and a response for each one).
On the other hand…when I’m not sync’ing I’m able to throw a wildcard into the query (this doesn’t work with sync on) and the behavior changes significantly. One query is issue to my federated LDAP instance, with a filter query that includes sAMAccountName=*. This appears limited…properly…by the criteria I’d configured into the federation and mappers config. End result is 1 query (instead of 10,000) and all the appropriate data coming back in return. This is much easier on my AD server(s).
Which brings to mind a follow-on question…what is the point of sync’ing users into KC’s database (from AD) if the resulting behavior is potentially thousands of individual queries?
I have the same behavior with keycloak v21.1.1.
I tested various configuration (Edit mode for example, no mapper) but all queries in KC admin console result a query to LDAP instance.
Did you find a solution or anyone have a explication ?
If this is a normal behavior why in configuration we can choose ‘Edit mode’ unsynced and setup import users.