Problem

Keycloak allows the import of LDAP users (LDAP cached mode) into its database, so that requests are not send to LDAP each time a user logs in.

However, the import fails for users, when their email address is not unique.

Resolution

There are several possible workarounds, depending on the specific use case:

• Do not map the mail attribute in Keycloack (in this case the mail attribute would not be available in SecureTransport);
• Do not use the LDAP cached mode in Keycloak;
• Change the email addresses of users so that they are all unique.