When federated LDAP storage is set to READONLY mode, shouldn't the user's attributes that are not-LDAP mapped still be editable?

[wornr]

Hi everyone!

First of all, I'm not entirely sure if it's a bug, so I decided to start a discussion here instead of creating another issue.

Keycloak 25.0.2

I want to add additional attributes for the LDAP federated user, that are not available in LDAP.

Documentation says:

If you disable Import Users, you cannot save user profile attributes into the Keycloak database.

First thing to do then is to enable User Import. Done!

Also I don't want them to be stored in LDAP after all and I basically don't want Keycloak to change anything in LDAP.

Documentation says:

READONLY
You cannot change the username, email, first name, last name, and other mapped attributes. Keycloak shows an error
anytime a user attempts to update these fields. Password updates are not supported.

So, next thing is to set Edit Mode to READONLY. Done!

Last but not least, I should configure mapper to tell Keycloak what attributes from LDAP should be imported to what field of Keycloak's User model. Obviously I'm not mapping my additional attributes as they're not even available in LDAP. Done!

Now, after full sync I would expect to have all users from LDAP imported to Keycloak and be able to only read the attributes that come from LDAP, but in the same time to be able to edit those that do not come from LDAP.
Unfortunately that is not true, because all attributes are read-only.

Maybe I'm missing something, but going through the documentation leads me to the conclusion, that the configuration I pointed out should let me achieve what I want.

I find this statement from the documentation misleading:

READONLY
You cannot change the username, email, first name, last name, and other mapped attributes. Keycloak shows an error
anytime a user attempts to update these fields. Password updates are not supported.

1. It says that some basic attributes and most importantly - mapped attributes - cannot be changed, so I'm assuming that I should be able to edit non-LDAP mapped attributes. Not true though!
2. It says that Keycloak shows an error anytime a user attempts to update those read-only fields. Not true, because we can't even made changes to those fields anymore, which is totally fine btw, but the documentation is not accurate in that matter.

[gcerkez]

I have the same issue. I have ldap federated users and I have a custom attribute added in the Realm Settings -> User Profile tab.

I want to maintain this outside of the ldap instance and be able to set and retrieve the attribute value.

[leonbcode]

Hey, I'm facing the same problem. Has there been any progress on this?