in Keycloak admin console, you will see just those LDAP users, which were already authenticated/requested by Keycloak.
</para>
<para>If you want to sync all LDAP users into Keycloak database, you may configure and enable Sync, which is in
admin console on same page like the configuration of Federation provider itself. There are 2 types of sync:
<variablelist>
<varlistentry>
<term>Full sync</term>
<listitem>
<para>
This will synchronize all LDAP users into Keycloak DB. Those LDAP users, which already exist in Keycloak and were
changed in LDAP directly will be updated in Keycloak DB (For example if user <literal>Mary Kelly</literal> was changed in LDAP to <literal>Mary Doe</literal>).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Changed users sync</term>
<listitem>
<para>
This will check LDAP and it will sync into Keycloak just those users, which were created or updated in LDAP from the time of last sync.
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
<para>
In usual cases you may want to trigger full sync at the beginning, so you will import all LDAP users to Keycloak just once. Then you may setup
periodic sync of changed users, so Keycloak will periodically ask LDAP server for newly created or updated users and backport them to Keycloak DB.
Also you may want to trigger full sync again after some longer time or setup periodic full sync as well.
</para>
<para>In admin console, you can trigger sync directly or you can enable periodic changed or full sync.</para>
LDAP mappers are <literal>listeners</literal>, which are triggered by LDAP Federation provider at various points and provide
another extension point to LDAP integration. They are triggered during import LDAP user into Keycloak, registration Keycloak user back to LDAP or when querying LDAP user from Keycloak.
When you create LDAP Federation provider, Keycloak will automatically provide set of builtin <literal>mappers</literal> for this provider.
You are free to change this set and create new mapper or update/delete existing ones.
</para>
<para>
By default, we have those implementation of LDAP federation mapper:
<variablelist>
<varlistentry>
<term>User Attribute Mapper</term>
<listitem>
<para>
This allows to specify which LDAP attribute is mapped to which attribute of Keycloak User. So for example you can configure
that LDAP attribute <literal>mail</literal> is supposed to be mapped to the UserModel attribute <literal>email</literal> in Keycloak database.
For this mapper implementation, there is always one-to-one mapping (one LDAP attribute mapped to one Keycloak UserModel attribute)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>FullName Mapper</term>
<listitem>
<para>
This allows to specify that fullname of user, which is saved in some LDAP attribute (usualy <literal>cn</literal> ) will be mapped to
<literal>firstName</literal> and <literal>lastname</literal> attributes of UserModel. Having <literal>cn</literal> to contain full name of user
is common case for some LDAP deployments.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Role Mapper</term>
<listitem>
<para>
This allows to configure role mappings from LDAP into Keycloak role mappings. One Role mapper can be used to map LDAP roles
(usually groups from particular branch of LDAP tree) into roles corresponding to either realm roles or client roles of specified client.
It's not a problem to configure more Role mappers for same LDAP provider. So for example you can specify that role mappings from groups under
<literal>ou=main,dc=example,dc=org</literal> will be mapped to realm role mappings and role mappings from
groups under <literal>ou=finance,dc=example,dc=org</literal> will be mapped to client role mappings of client <literal>finance</literal> .
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
<para>By default, there is set of User Attribute mappers to map basic UserModel attributes username, first name, lastname and email to corresponding LDAP attributes. You are free to extend this and provide
more attribute mappings (For example to street, postalCode etc), delete firstName/lastname mapper and put fullName mapper instead, add role mappers etc.
Admin console provides tooltips, which should help on how to configure corresponding mappers.
We have an example, which is showing LDAP integration and set of base mappers and sample mappers (mappers for street and postalCode) . It's in <literal>examples/ldap</literal>
in the Keycloak example distribution or demo distribution download. You can also check the example sources directly <ulinkurl="https://github.com/keycloak/keycloak/blob/master/examples/ldap">here</ulink> .
