[keycloak-user] automated Sync Keycloak Roles To LDAP

[Arjan Schaaf]

Hi there,

I’m integrating Keycloak in an environment where a have a couple of ‘legacy’ applications that allow for LDAP based external authentication, but do not support Keycloak or oauth / OpenID connect out-of-the-box.
So I’m creating a setup where I use Keycloak as the primary repository for storing users and groups/roles, but I connect a LDAP server that is kept in sync with Keycloak and bind these applications to the LDAP service.

That setup works decent enough: newly created users in keycloak are synced to LDAP and so on.
However syncing Keycloak roles to LDAP doesn’t seem to work as convenient. I’ve created a User Federation Mapper of type Role mappings and when I use the “Sync Keycloak Roles To LDAP” button, the roles are synced with LDAP. Great!
But when I create a new role in Keycloak I expected it to be synced automatically, just like a new Keycloak user is synced directly to LDAP. I need to use the  “Sync Keycloak Roles To LDAP” manually again to update LDAP. Is this how it is designed to work or is there are way to update LDAP directly after changing something to Keycloak roles?


Cheers,
Arjan