How to update email addresses in Keycloak reading from LDAP?
104 views
Skip to first unread message
Silke Meyer
Mar 11, 2025, 4:03:10 PM3/11/25
to keyclo...@googlegroups.com
Hello! :)
I have a question concerning email addresses in Keycloak:
I have user accounts in LDAP or AD. They are not imported into Keycloak,
Keycloak has read-only access to them. Thus I assume that the backend is
queried when needed.
When a user, who has logged in via Keycloak earlier, gets a new email
address in LDAP, this information is not updated in Keycloak. I can
search for the account, the overview still has the old address.
When I delete a user in LDAP/AD and create a new one with the same email
address later, it also complains that the address is assigned to someone
else already. So the sub claim and the email address seem to stay
connected even if the account is removed from the backend IdM.
What can I do about this situation as a Keycloak admin? Where does
Keycloak even keep this information? I didn't find anything in the database.
Is it related to the cache setting? They look like this:
my realm -> user federation -> ldap -> Cache policy "default"
master realm -> user federation -> ldap -> MAX_LIFESPAN 300000 ms
This sound as if my cache should be refreshed after 5 minutes, but the
update of the email address didn't happen even after days.
I would like to understand this better, so I am grateful for any hint on
where to look / what to read.
(I cannot turn on the preview feature update-email and I couldn't ask
the users to correct it themselves either.)
Greetings, Silke
--
Silke Meyer
IT Consultant
Phone: +49 (0) 421 22232-106
Mobile: +49 (0) 152 530 543 05
E-Mail : silke...@univention.de
Univention GmbH
Mary-Somerville-Str. 1
28359 Bremen
Germany | Deutschland
Phone: +49 (0) 421 22232-0 | E-Mail: in...@univention.de
https://www.univention.de | https://www.univention.com
Managing Directors: Peter H. Ganten, Stefan Gohmann
Local court: Amtsgericht Bremen
HRB 20755 | Ust-ID: DE220051310
If you are not the intended recipient of this mail, please contact the
sender and delete this message. Any unauthorized copying of this message
or unauthorized distribution of the information contained herein is
prohibited.Information on the processing of your personal data can be
found here:
https://www.univention.com/privacy-statement
I have a question concerning email addresses in Keycloak:
I have user accounts in LDAP or AD. They are not imported into Keycloak,
Keycloak has read-only access to them. Thus I assume that the backend is
queried when needed.
When a user, who has logged in via Keycloak earlier, gets a new email
address in LDAP, this information is not updated in Keycloak. I can
search for the account, the overview still has the old address.
When I delete a user in LDAP/AD and create a new one with the same email
address later, it also complains that the address is assigned to someone
else already. So the sub claim and the email address seem to stay
connected even if the account is removed from the backend IdM.
What can I do about this situation as a Keycloak admin? Where does
Keycloak even keep this information? I didn't find anything in the database.
Is it related to the cache setting? They look like this:
my realm -> user federation -> ldap -> Cache policy "default"
master realm -> user federation -> ldap -> MAX_LIFESPAN 300000 ms
This sound as if my cache should be refreshed after 5 minutes, but the
update of the email address didn't happen even after days.
I would like to understand this better, so I am grateful for any hint on
where to look / what to read.
(I cannot turn on the preview feature update-email and I couldn't ask
the users to correct it themselves either.)
Greetings, Silke
--
Silke Meyer
IT Consultant
Phone: +49 (0) 421 22232-106
Mobile: +49 (0) 152 530 543 05
E-Mail : silke...@univention.de
Univention GmbH
Mary-Somerville-Str. 1
28359 Bremen
Germany | Deutschland
Phone: +49 (0) 421 22232-0 | E-Mail: in...@univention.de
https://www.univention.de | https://www.univention.com
Managing Directors: Peter H. Ganten, Stefan Gohmann
Local court: Amtsgericht Bremen
HRB 20755 | Ust-ID: DE220051310
If you are not the intended recipient of this mail, please contact the
sender and delete this message. Any unauthorized copying of this message
or unauthorized distribution of the information contained herein is
prohibited.Information on the processing of your personal data can be
found here:
https://www.univention.com/privacy-statement
John Kohl
Mar 14, 2025, 7:38:43 AM3/14/25
to Silke Meyer, keyclo...@googlegroups.com
Have you looked at the settings for periodic synchronization of Keycloak and the LDAP server? Look at the "Synchronization settings" section. To manually run a sync, there's a UI action in the upper left corner: my Keycloak (sorry, not sure what version) has "Sync changed users" and "Sync all users".
If an email address changes in LDAP, my experience is that a sync operation will update the linked Keycloak user record.
--
Regards,
John Kohl (he/him/his)
Senior Software Architect – HCL Software
Please note new e-mail address: john...@hcl-software.com
--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/keycloak-user/822f474c-8625-4be4-940f-75f3da06dffa%40univention.de.
Silke Meyer
Mar 19, 2025, 3:52:05 AM3/19/25
to keyclo...@googlegroups.com
Hi John,
thanks for your answer. Do the synchronisation settings apply when you
the user account have not been imported into Keycloak from LDAP?
The documentation sounds as if those settings are for imports.
It would be great if this could be clarified by someone. :)
Best, Silke
thanks for your answer. Do the synchronisation settings apply when you
the user account have not been imported into Keycloak from LDAP?
The documentation sounds as if those settings are for imports.
It would be great if this could be clarified by someone. :)
Best, Silke
Reply all
Reply to author
Forward
0 new messages