Right now, LDAP server is configured separately for each Realm. Configuration is in admin console in tab Ldap under realm settings. It's under URL like http://localhost:8080/auth/admin/keycloak-admin/console/index.html#/realms/YOUR_REALM/ldap-settings . There is nothing like "shared" LDAP server for more realms in Keycloak, but it's planned for the future. LDAP is currently used just for authentication of users done through PicketlinkAuthenticationProvider as described here . In the future, we have plan to have full Sync SPI, which will allow one-way or two-way synchronization between LDAP server and Keycloak database including users and roles.