Wondering if anyone can shed any light on my issue importing LLDAP users into Keycloak, followed the docs and the import looks successful, managed to import the groups as well. If I look at the groups I can see all the members and access the user account from there, but if I click on Users in keycloak, it's blank.

Here's a brand new thread for you! Please keep the discussion for this problem in this thread.

Hmm, that would be hard to diagnose without logs. However, that might be a better question for the KeyCloak community? I don't know much about KeyCloak, so I'm not sure how much I'd be able to help. At this point, LLDAP is just a regular LDAP server for them.

Keycloak hides LDAP/AD users to not slow down the interface (it would be a great feature if you were in organisation and had tons of user in your LDAP

@ziomal12 Thanks, that's got me a bit further. Doing a wildcard search does indeed list all the users, I hadn't tried that. However when I search for a specific user I get

No users found, could be due to wrongly configured federated provider Unexpected non-whitespace character after JSON at position 909

Currently none,I ultimately switched to Authentik (easier to do forward auth with Traefik but still PITA) but the version I was running was latest as of 2-3 weeks ago

Funnily enough that's what I'm kicking the tyres on at the moment, weighing up Keycloak and Authentik, have setup Authentik in the past but never got very far, got annoyed by the automatic LDAP outpost deployment and just generally a bit overwhelmed with it all and decided to try Keycloak, but I'd already started thinking that forward auth would be easier on Authentik after looking at the Traefik config options for Keycloak.

I tried Oauth2 proxy and gatekeeper with Keycloak and didn't get very far, with authentik it just works. However their documentation is lacking at best and terrible at worst and it uses more system resources than Keycloak. If you wanna try Authentik look at Cooptonian yt channel

Yeah, I've found the cooptonian channel already. I'm currently using Authelia which just works, but is a bit limited, but I do like the yaml config though

It has it's own LDAP server, tbh I don't think that duplicating this with LLDAP is worth it

I quite like the idea of keeping LLDAP whatever solution I go for as a "source of truth" should I wish to swap out Authentik for something else though.

If you look at it this way it makes a lot of sense

In an ideal world I'd be able to write back any changes in Authentik to LLDAP but only realised today that LLDAP is currently read only in that regard, and I can't help but just love lldap, it's so simple but effective and coming from openldap with ldap-user-manager it was a real breath of fresh air.

If you wish I could answer some questions based on my experience with both solutions

That's really kind of you mate, I may take you up on that offer when I get a bit further, but actually just chatting to you has been helpful to clarify my mind, I think I'm currently going to spin up Authentik again and keep plugging away at it.

Yes, that's the biggest drawback of this solution for me, technically you can create users and change passwords with write functionality but I always had to go back to LLDAP GUI to change the gibberish it created so I could just as well do it there from the beginning

That's my plan, use LLDAP as the canonical identity provider and then use authentik for authorisation and authentication.

It does the job but another downside to consider is that's Authentik is incompatible (afaik) at least for now with crowdsec

I do crowdsec on my firewall (opnsense) rather than Traefik so I might be ok with that I think.

Well, not really, in that case crowdsec would watch logs looking for failed login attempt and ban ip if it failed too much, but crowdsec can't read Authentik's log format

Yeah, penny just dropped for me when I realised what you meant, I assumed (incorrectly) it was a traefik issue

Just fyi, I might consider making LLDAP writable over LDAP, there's really no reason not to allow that (for simple cases), other than making it easier for me to write it in the first place 🙂 It probably won't be for a while though, life is getting busy and I really want to finish user defined attributes

@nitnelave Mate, I wasn't lying when I said I love this project, you do what you need when you need, I'm never going to pressurise anyone for anything, it's not how FOSS works.

Did you every get any traction on how to resolve this issue? It is driving me a bit mad haha

No, sorry, I ended up going back to Authelia.

thanks! appreciated