Before reporting an issue

[x] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

ldap

Describe the bug

When attempting to save attribute changes for an existing LDAP user with a changed password via the Keycloak UI ('Created at' date not 1/1/1970), an error message will pop up stating that the user has not been saved.

The error in the logs is: LDAP: error code 19 – pwdChangedTime: no user modification allowed

According to the OpenLDAP definition, this attribute is operational and can only be written by the LDAP server itself - it is read-only externally.

Version

26.2.5

Regression

[x] The issue is a regression

Expected behavior

The pwdChangedTime attribute is not written to LDAP when a user with a changed password is saved/synced -> read-only.

Actual behavior

Keycloak is attempting to modify the pwdChangedTime attribute in LDAP, but this is not permitted because OpenLDAP considers it as an operational attribute with a read-only property.

How to Reproduce?

• Migration from version 25.0.6 to 26.2.5 (including intermediate versions)
• OpenLDAP user federation
• there were no issues until the latest versions of Keycloak were implemented, which may have occurred when pwdChangedTime was introduced in release 26.2.0

Anything else?

The workaround for saving existing users involves adding a hard-coded LDAP mapper for pwdChangedTime with an empty string value (single quotation marks). When trying to add new users with LDAP sync, an error will occur again when adding this attribute - no surprise.