Too many LDAP user federation connections


we are using user federation with an LDAP user storage provider. This has Periodic Full sync enabled and Use Kerberos for Password Authentication active.

I assumed that Keycloak would then get most data from the (database) storage and not go to LDAP. Not even for passwords, as we have Kerberos enabled here and active in the authentication flow for the browser.
However, there is very frequent LDAP communication.
Why is that? Can we get Keycloak to primarily use the database and Kerberos for password authentication and not use LDAP outside of scheduled synchs?

Any hints are appreciated.

Thanks, Karl

It turned out that those LDAP queries were because of a bunch of group mappers, which were set to mode=read_only and strategy=load_groups_by_member_attribute (those are the default values, at least in keycloak 9.0.3.

also, current ideas are to

  1. size down to just 1 group mapper with extended filter expression
  2. switch to mode=import
  3. switch to strategy=memberof