Actually, I've traced the source of my challenge I believe to this excellent
analysis:
https://issues.jboss.org/browse/KEYCLOAK-4433?focusedCommentId=13364626&a...
In my case, I have a few attributes in OpenLDAP that have constraints associated with them
(we are using the constraints overlay/extension provided by OpenLDAP). Those constraints
prevent the creation of the "default" dummy object. I have confirmed that
watching the logs: Keycloak first tries to create a dummy empty object, then moves forward
with modifying the returned entry.
Is there a workaround to this? Or a configuration option that instead of create empty then
modify, instead simply does create with full attributes?