User Federation - synchronize all users

Hi,

i have problem syncing users from LDAP to Keycloak.

Under LDAP Mappers - username - LDAP attribute I have “cn”

Test connection and test auth is passed.

You might increase temporarily the LOG level for LDAP via …

        <logger category="org.keycloak.storage.ldap">
            <level name="DEBUG"/>
        </logger>

… in your standalone.xml file. This way you might be able to find the root cause in the server.log file.

This is the log from server.log:

2021-03-03 11:52:59,656 INFO [org.keycloak.storage.ldap.LDAPIdentityStoreRegistry] (default task-6) Creating new LDAP Store for the LDAP storage provider: ‘ldap’, LDAP Configuration: {fullSyncPeriod=[-1], pagination=[true], startTls=[false], connectionPooling=[true], usersDn=[ou=reducted,DC=reducted,DC=reducted], cachePolicy=[DEFAULT], useKerberosForPasswordAuthentication=[false], importEnabled=[true], enabled=[true], usernameLDAPAttribute=[sAMAccountName], bindDn=[cn=reducted,ou=reducted,ou=reducted,dc=reducted,dc=reducted], changedSyncPeriod=[-1], lastSync=[1614768779], vendor=[ad], uuidLDAPAttribute=[objectGUID], connectionUrl=[ldap://reducted:389], allowKerberosAuthentication=[false], syncRegistrations=[false], authType=[simple], debug=[false], searchScope=[1], useTruststoreSpi=[ldapsOnly], trustEmail=[false], priority=[0], userObjectClasses=[person, organizationalPerson, user], rdnLDAPAttribute=[cn], editMode=[READ_ONLY], validatePasswordPolicy=[false], batchSizeForSync=[1000]}, binaryAttributes: []
2021-03-03 11:52:59,657 DEBUG [org.keycloak.storage.ldap.LDAPIdentityStoreRegistry] (default task-6) Mapper for provider: ldap, Mapper name: username, Provider: user-attribute-ldap-mapper, Mapper configuration: {ldap.attribute=[cn], is.mandatory.in.ldap=[true], is.binary.attribute=[false], read.only=[true], always.read.value.from.ldap=[false], user.model.attribute=[username]}
2021-03-03 11:52:59,657 DEBUG [org.keycloak.storage.ldap.LDAPIdentityStoreRegistry] (default task-6) Mapper for provider: ldap, Mapper name: email, Provider: user-attribute-ldap-mapper, Mapper configuration: {ldap.attribute=[mail], is.mandatory.in.ldap=[false], always.read.value.from.ldap=[false], read.only=[true], user.model.attribute=[email]}
2021-03-03 11:52:59,657 DEBUG [org.keycloak.storage.ldap.LDAPIdentityStoreRegistry] (default task-6) Mapper for provider: ldap, Mapper name: modify date, Provider: user-attribute-ldap-mapper, Mapper configuration: {ldap.attribute=[whenChanged], is.mandatory.in.ldap=[false], read.only=[true], always.read.value.from.ldap=[true], user.model.attribute=[modifyTimestamp]}
2021-03-03 11:52:59,657 DEBUG [org.keycloak.storage.ldap.LDAPIdentityStoreRegistry] (default task-6) Mapper for provider: ldap, Mapper name: last name, Provider: user-attribute-ldap-mapper, Mapper configuration: {ldap.attribute=[sn], is.mandatory.in.ldap=[true], read.only=[true], always.read.value.from.ldap=[true], user.model.attribute=[lastName]}
2021-03-03 11:52:59,657 DEBUG [org.keycloak.storage.ldap.LDAPIdentityStoreRegistry] (default task-6) Mapper for provider: ldap, Mapper name: first name, Provider: user-attribute-ldap-mapper, Mapper configuration: {ldap.attribute=[givenName], is.mandatory.in.ldap=[true], always.read.value.from.ldap=[true], read.only=[true], user.model.attribute=[firstName]}
2021-03-03 11:52:59,657 DEBUG [org.keycloak.storage.ldap.LDAPIdentityStoreRegistry] (default task-6) Mapper for provider: ldap, Mapper name: MSAD account controls, Provider: msad-user-account-control-mapper, Mapper configuration: {}
2021-03-03 11:52:59,657 DEBUG [org.keycloak.storage.ldap.LDAPIdentityStoreRegistry] (default task-6) Mapper for provider: ldap, Mapper name: creation date, Provider: user-attribute-ldap-mapper, Mapper configuration: {ldap.attribute=[whenCreated], is.mandatory.in.ldap=[false], read.only=[true], always.read.value.from.ldap=[true], user.model.attribute=[createTimestamp]}
2021-03-03 11:52:59,661 INFO [org.keycloak.storage.ldap.LDAPStorageProviderFactory] (default task-6) Sync all users from LDAP to local store: realm: demo, federation provider: ldap
2021-03-03 11:52:59,662 DEBUG [org.keycloak.storage.ldap.idm.store.ldap.LDAPContextManager] (default task-6) Creating LdapContext using properties: [{java.naming.security.authentication=simple, java.naming.ldap.attributes.binary=objectGUID, java.naming.provider.url=ldap://reducted:389, com.sun.jndi.ldap.connect.pool=true, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.credentials=**************************************, java.naming.security.principal=cn=reducted,ou=reducted,ou=reducted,dc=reducted,dc=reducted}]
2021-03-03 11:52:59,674 INFO [org.keycloak.storage.ldap.LDAPStorageProviderFactory] (default task-6) Sync all users finished: 0 imported users, 0 updated users

This does not look like an error while connecting and syncing … but maybe it just cannot find any users in the “Users DN” you set. If your users are for instance organized in sub-ou’s (of the Users DN) you can try to change the “Search Scope” from “One Level” to “Subtree”.

It works now. Changed to Subtree. Also changed Username LDAP attribute: sAMAccountName to CN.