Provider - LDAP

Setting

Type

Description

Enabled

Boolean (checkbox)

Enables or disables the LDAP provider. Disabling retains the config but stops user federation.

Console Display Name

String

Label shown in the Admin Console to represent this provider. Useful when you have multiple providers.

Priority

Integer

Determines the order in which providers are queried. Lower number = higher priority.

Import Users

Boolean (checkbox)

When enabled, users are copied into Keycloak's internal DB on first login or sync. This enables faster lookup but creates a shadow copy.

Edit Mode

Enum (READ_ONLY, WRITABLE, UNSYNCED)

Controls how Keycloak interacts with LDAP data. Use READ_ONLY to protect LDAP, WRITABLE to allow changes, or UNSYNCED for one-time import.

Sync Registrations

Boolean

If enabled, users created in Keycloak will also be written back to LDAP. Works only if Edit Mode is WRITABLE.

Vendor

Dropdown (Other, Active Directory, etc.)

Applies vendor-specific defaults and schema adjustments. Choosing "Active Directory" enables special handling like UPNs, nested groups, etc.

Username LDAP attribute

String

LDAP attribute used as the Keycloak username. Common: uid or sAMAccountName for AD.

RDN LDAP attribute

String

Used in the Relative Distinguished Name. Typically same as uid or cn.

UUID LDAP attribute

String

Unique identifier used to track LDAP entries in Keycloak. Common: entryUUID (OpenLDAP), objectGUID (AD).

User Object Classes

Comma-separated list

Filters objects returned by LDAP. Default: inetOrgPerson, organizationalPerson. Must match your LDAP schema.

Connection URL

String (URL)

LDAP server URL (e.g., ldap://localhost:389 or ldaps://ldap.example.com:636).

Users DN

String (DN)

Base DN under which user entries exist. Example: ou=People,dc=corp,dc=example,dc=com.

Custom User LDAP Filter

String (LDAP filter)

Optional filter (e.g., (employeeType=active)) to further narrow user search scope.

Search Scope

Enum (One Level, Subtree)

Defines how deeply LDAP should search under Users DN. Subtree is more thorough.

Bind Type

Enum (simple, none)

Determines how Keycloak connects to LDAP. simple uses Bind DN and password; none is anonymous bind (not recommended).

Bind DN

String (DN)

Admin or service account DN used to connect to LDAP (e.g., cn=admin,dc=corp,dc=com).

Bind Credential

Password

Password for the Bind DN. Should be strong and kept secure (or loaded from Vault/KeyStore in prod).

Setting

Type

Description

Enable StartTLS

Boolean

Upgrades LDAP connection from plain to TLS. Useful when LDAP server supports StartTLS over port 389.

Enable the LDAPv3 Password Modify Extended Operation

Boolean

Enables use of LDAP's standard password modification extension (1.3.6.1.4.1.4203.1.11.1). Required for some password policies.

Validate Password Policy

Boolean

When enabled, Keycloak validates passwords against the LDAP server’s password rules (like min length, complexity).

Trust Email

Boolean

If enabled, Keycloak will trust mail attribute from LDAP as a verified email (bypasses confirmation step).

Use Truststore SPI

String

Specifies the SPI used for truststore configuration when using LDAPS (e.g., file, keystore, vault).

Connection Timeout

Integer (ms)

Timeout in milliseconds for opening LDAP connections. Prevents Keycloak from hanging if LDAP is slow.

Read Timeout

Integer (ms)

Timeout for reading responses from LDAP. Applies to search and bind operations.

Pagination

Boolean

Enables LDAP paging for large directories. Should be enabled when user count exceeds server page size (e.g., 1000 entries).

Setting

Type

Description

Connection Pooling

Boolean

Reuses LDAP connections for efficiency and performance. Must be enabled for high-load environments.

Connection Pooling Authentication

String

Method used for authentication within pooled connections. Common: simple.

Connection Pool Debug Level

Integer

Logging level for LDAP connection pool events. Higher = more verbose logs. Useful for diagnostics.

Connection Pool Initial Size

Integer

Number of connections created when the pool initializes.

Connection Pool Maximum Size

Integer

Maximum number of pooled connections allowed.

Connection Pool Preferred Size

Integer

Preferred number of connections kept open (idle pool size).

Connection Pool Protocol

String

Protocol used within the pool: plain, ssl, or startTLS. Must match your LDAP configuration.

Connection Pool Timeout

Integer (ms)

Time in milliseconds before idle connections are closed.

Setting

Type

Description

Allow Kerberos authentication

Boolean

Enables support for Kerberos/SPNEGO login. Allows Windows domain users to log in without typing credentials.

Use Kerberos For Password Authentication

Boolean

Allows Keycloak to validate password credentials using Kerberos rather than LDAP bind. Used when Kerberos is the real authentication backend behind LDAP.

Setting

Type

Description

Batch Size

Integer

Maximum number of users retrieved in a single sync query. Helps manage memory and control sync load.

Periodic Full Sync

Cron string

Defines schedule for full user sync (e.g., 0 */12 * * * for every 12 hours).

Periodic Changed Users Sync

Cron string

Schedule for incremental sync based on last update timestamps (if supported by LDAP). Reduces sync time.

Setting

Type

Description

Cache Policy

Enum (DEFAULT, EVICT_DAILY, EVICT_WEEKLY, NO_CACHE)

Controls how Keycloak caches user info from LDAP. DEFAULT uses in-memory cache. NO_CACHE disables all LDAP caching. Other options periodically evict and refresh users.