Hi, I've got Keycloak 4.5.0.Final setup to talk to an AWS instance of their Simple AD - which is Samba 4 behind the scenes. Connectivity and authentication works ok, as does the initial sync all users. However, when I create a new user through Keycloak, I get an error "Error! Could not create user" in the UI and the following logs: keycloak_1 | 20:45:52,571 WARN [org.keycloak.services.resources.admin.UsersResource] (default task-17) Could not create user: org.keycloak.models.ModelException: Could not modify attribute for DN [cn=example12,CN=Users,DC=ad,DC=example,DC=com] keycloak_1 | Caused by: javax.naming.NameNotFoundException: [LDAP: error code 32 - 00002030: No such Base DN: cn=example12,CN=Users,DC=ad,DC=example,DC=com]; remaining name 'cn=example12,CN=Users,DC=ad,DC=example,DC=com' The full stack trace is here https://gist.githubusercontent.com/rk295/a8ada3cd79212e73d2e55215e4d53e34... What is interesting is the user is created successfully in LDAP. ldif https://gist.githubusercontent.com/rk295/0bde9a03f057dea09ea08f7f0050785e... However in this ldif, is the following fields show "IA==" rather than the value I entered (example12 in both cases) sn:: IA== givenName:: IA== I have both the firstname and lastname mappers setup to map the following fields: usermodel attribute firstName -> ldap givenName usermodel attribute lastName -> ldap sn Both setup with RO false, always read from LDAP true, is mandatory true, is binary false. If I hit the button to resync changed (or all) users, the user shows in the Keycloak admin, but the fields above missing. Hope somebody can help! r.