| Setting | Type | Description |
| Enabled | Boolean (checkbox) | Enables or disables the LDAP provider. Disabling retains the config but stops user federation. |
| Console Display Name | String | Label shown in the Admin Console to represent this provider. Useful when you have multiple providers. |
| Priority | Integer | Determines the order in which providers are queried. Lower number = higher priority. |
| Import Users | Boolean (checkbox) | When enabled, users are copied into Keycloak's internal DB on first login or sync. This enables faster lookup but creates a shadow copy. |
| Edit Mode | Enum (READ_ONLY, WRITABLE, UNSYNCED) | Controls how Keycloak interacts with LDAP data. Use READ_ONLY to protect LDAP, WRITABLE to allow changes, or UNSYNCED for one-time import. |
| Sync Registrations | Boolean | If enabled, users created in Keycloak will also be written back to LDAP. Works only if Edit Mode is WRITABLE. |
| Vendor | Dropdown (Other, Active Directory, etc.) | Applies vendor-specific defaults and schema adjustments. Choosing "Active Directory" enables special handling like UPNs, nested groups, etc. |
| Username LDAP attribute | String | LDAP attribute used as the Keycloak username. Common: uid or sAMAccountName for AD. |
| RDN LDAP attribute | String | Used in the Relative Distinguished Name. Typically same as uid or cn. |
| UUID LDAP attribute | String | Unique identifier used to track LDAP entries in Keycloak. Common: entryUUID (OpenLDAP), objectGUID (AD). |
| User Object Classes | Comma-separated list | Filters objects returned by LDAP. Default: inetOrgPerson, organizationalPerson. Must match your LDAP schema. |
| Connection URL | String (URL) | LDAP server URL (e.g., ldap://localhost:389 or ldaps://ldap.example.com:636). |
| Users DN | String (DN) | Base DN under which user entries exist. Example: ou=People,dc=corp,dc=example,dc=com. |
| Custom User LDAP Filter | String (LDAP filter) | Optional filter (e.g., (employeeType=active)) to further narrow user search scope. |
| Search Scope | Enum (One Level, Subtree) | Defines how deeply LDAP should search under Users DN. Subtree is more thorough. |
| Bind Type | Enum (simple, none) | Determines how Keycloak connects to LDAP. simple uses Bind DN and password; none is anonymous bind (not recommended). |
| Bind DN | String (DN) | Admin or service account DN used to connect to LDAP (e.g., cn=admin,dc=corp,dc=com). |
| Bind Credential | Password | Password for the Bind DN. Should be strong and kept secure (or loaded from Vault/KeyStore in prod). |
| Setting | Type | Description |
| Enable StartTLS | Boolean | Upgrades LDAP connection from plain to TLS. Useful when LDAP server supports StartTLS over port 389. |
| Enable the LDAPv3 Password Modify Extended Operation | Boolean | Enables use of LDAP's standard password modification extension (1.3.6.1.4.1.4203.1.11.1). Required for some password policies. |
| Validate Password Policy | Boolean | When enabled, Keycloak validates passwords against the LDAP server’s password rules (like min length, complexity). |
| Trust Email | Boolean | If enabled, Keycloak will trust mail attribute from LDAP as a verified email (bypasses confirmation step). |
| Use Truststore SPI | String | Specifies the SPI used for truststore configuration when using LDAPS (e.g., file, keystore, vault). |
| Connection Timeout | Integer (ms) | Timeout in milliseconds for opening LDAP connections. Prevents Keycloak from hanging if LDAP is slow. |
| Read Timeout | Integer (ms) | Timeout for reading responses from LDAP. Applies to search and bind operations. |
| Pagination | Boolean | Enables LDAP paging for large directories. Should be enabled when user count exceeds server page size (e.g., 1000 entries). |
| Setting | Type | Description |
| Connection Pooling | Boolean | Reuses LDAP connections for efficiency and performance. Must be enabled for high-load environments. |
| Connection Pooling Authentication | String | Method used for authentication within pooled connections. Common: simple. |
| Connection Pool Debug Level | Integer | Logging level for LDAP connection pool events. Higher = more verbose logs. Useful for diagnostics. |
| Connection Pool Initial Size | Integer | Number of connections created when the pool initializes. |
| Connection Pool Maximum Size | Integer | Maximum number of pooled connections allowed. |
| Connection Pool Preferred Size | Integer | Preferred number of connections kept open (idle pool size). |
| Connection Pool Protocol | String | Protocol used within the pool: plain, ssl, or startTLS. Must match your LDAP configuration. |
| Connection Pool Timeout | Integer (ms) | Time in milliseconds before idle connections are closed. |
| Setting | Type | Description |
| Allow Kerberos authentication | Boolean | Enables support for Kerberos/SPNEGO login. Allows Windows domain users to log in without typing credentials. |
| Use Kerberos For Password Authentication | Boolean | Allows Keycloak to validate password credentials using Kerberos rather than LDAP bind. Used when Kerberos is the real authentication backend behind LDAP. |
| Setting | Type | Description |
| Batch Size | Integer | Maximum number of users retrieved in a single sync query. Helps manage memory and control sync load. |
| Periodic Full Sync | Cron string | Defines schedule for full user sync (e.g., 0 */12 * * * for every 12 hours). |
| Periodic Changed Users Sync | Cron string | Schedule for incremental sync based on last update timestamps (if supported by LDAP). Reduces sync time. |
| Setting | Type | Description |
| Cache Policy | Enum (DEFAULT, EVICT_DAILY, EVICT_WEEKLY, NO_CACHE) | Controls how Keycloak caches user info from LDAP. DEFAULT uses in-memory cache. NO_CACHE disables all LDAP caching. Other options periodically evict and refresh users. |