diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/ldap/LDAPReadOnlyTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/ldap/LDAPReadOnlyTest.java
index a56d1842c6..bb2eec3067 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/ldap/LDAPReadOnlyTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/ldap/LDAPReadOnlyTest.java
@@ -46,6 +46,8 @@ import org.keycloak.testsuite.util.LDAPRule;
 import org.keycloak.testsuite.util.LDAPTestUtils;
 import org.openqa.selenium.By;
 
+import javax.ws.rs.ClientErrorException;
+
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;
 
@@ -125,6 +127,23 @@ public class LDAPReadOnlyTest extends AbstractLDAPTest  {
         user.removeCredential(totpCredentialId);
     }
 
+    // KEYCLOAK-3365
+    @Test
+    public void testReadOnlyUserDoesNotThrowIfUnchanged() {
+        UserResource user = ApiUtil.findUserByUsernameId(testRealm(), "johnkeycloak");
+        UserRepresentation userRepresentation = user.toRepresentation();
+        user.update(userRepresentation);
+    }
+
+    // KEYCLOAK-3365
+    @Test(expected = ClientErrorException.class)
+    public void testReadOnlyUserThrowsIfChanged() {
+        UserResource user = ApiUtil.findUserByUsernameId(testRealm(), "johnkeycloak");
+        UserRepresentation userRepresentation = user.toRepresentation();
+        userRepresentation.setFirstName("Jane");
+        user.update(userRepresentation);
+    }
+
     private void setTotpRequirementExecutionForRealm(AuthenticationExecutionModel.Requirement requirement) {
         adminClient.realm("test").flows().getExecutions("browser").
                 stream().filter(execution -> execution.getDisplayName().equals("Browser - Conditional OTP"))