User federation with Google secure ldaps - no luck

I’m using a Mac, latest version of Keycloak in standalone and I installed java jdk 8u66.
I’m trying to implement Google secure ldap for user federation in Keycloak. I enabled LDAP service in the Google admin and downloaded the certificate (crt) and private key.

Then I added the certificate and private key in the Java cacerts keystore as PKCS #8. I also to tried to add the private key to the crt file and add the crt file to java cacerts keystore. Cacert is located: home/jre/lib/security/cacerts.

I also tried to my make own java keystore and adapted the standalone.xml file but no luck. … can’t find path… was the error in the server.log.

My settings (in a tenant - not in master):

The connection url: ldaps://
edit mode: read only
users DN: dc=xxxx,dc=xx (no filter applied)
search scope: subtree
Bind type:
When I set it to ‘none’ I get error: “error during sync of users” in server log:
error code 50: insufficient access rights
Uncaught server error: LDAP query failed.

When I enter a user:
User + @domain = LDAP: error 50 - Not authorized to authenticate password
User without @domain = error 49 - Incorrect password
User in DN = uid or cn=xxxx, ou=xxxx - error 50 - Not authorized to authenticate password

My question is: what is the correct setting for bind type? Add both the crt and private key as PKCS #8 in the java cacerts keystore is correct? I also tried with a new certificate.

If anyone has an idea what is wrong? Thanks!