Narrative

Customer wants to use Keycloak for sync registrations with LDAP. But, currently, it is not possible for them to create users or groups when using search scope "Subtree" and a higher-level Users DN or Group DN.
If they may want to fetch all users or groups from an LDAP directory that is containing multiple leafs, then they cannot create any users and groups as Keycloak attempts to create the object in the wrong place. For instance, in LDAP the `Sync Registrations` always create the user with a DN such as `<rdn-attr>=<username>,<users-dn>` (as per code), and there is no configuration option for that.
Customer needs to be able to create objects in Keycloak when LDAP backend is configured to use subtree as search scope. So they need to have an option to set a separate DN for sync registrations so that they can create users in LDAP using a DN other than what we today define as the `Users DN`.

Value Proposition

• To overcome the limitation in Keycloak as there is only a single entrypoint to the Users DN
• In LDAP, entries can be created in different branches.
• A nice addition for LDAP integration and something we are missing if compared with other products, like Okta (cf. "Multiple LDAP users DN entry").

Goals

• Provide optional field for overriding the DN used for creating new users and groups.

Implementation notes

Some various thoughts on how we can achieve this:

• an idea would be adding a new mapper (similar to the username template importer mappers we have for brokering) that let the user construct the new DN using attributes, configuration parameters, etc.
• add a new configuration property to the LDAP provider so that we can create users in LDAP using a DN other than what is defined today as the `Users DN`.