I’m trying to figure out the best way to approach this.
I have a our legacy LDAP configured in User Federation and have all users imported into Keycloak’s user store. I’ve noticed that if I click the “Unlink users” button it unlinks all the users as expected. What I didn’t expect was the users existing passwords that was set in the legacy LDAP not longer works for those users. Lets say I have thousands of users. I don’t want to have to send a reset password to all those users.
Is there a way to sync the LDAP passwords with Keycloak’s local user store before I unlink the users?
My understanding is the answer is no. Apparently it is not possible to pull the passwords from LDAP and is a technical limitation.
Keycloak has other issues too when unlinking users we just found out. It removes all their client roles. I opened a bug for this. This is a show stopper bug for us. I guess keycloak’s LDAP provider implementation isn’t really meant for migrating users and then turning it off.
Ugh. So I guess the best way to do this would be to first migrate all users from the legacy LDAP to a new LDAP, federate that LDAP and just continue to use that user federation.
Hi ,
Any progress on the client role removal when unlinking the LDAP?
Can you share where you opened the bug for this?
I want to move from an LDAP provider to an OIDC provider, and turn off the LDAP.
It’s strange, the role info should be/stay in the keycloak DB right?