Hello everyone,
I’m currently working on integrating Keycloak with YunoHost using a secure LDAP connection (LDAPS).
I’ve successfully set up the connection in read-only mode — user import and login via Keycloak are working fine. However, I would now like to enable password changes directly from Keycloak, which requires write access to LDAP on the YunoHost side.
Here’s my setup:
- YunoHost is configured with a Let’s Encrypt certificate (LDAPS works).
- The LDAP account used by Keycloak (
uid=admin_ldap,ou=users,dc=yunohost,dc=org) is a user created via the YunoHost interface and added to theadminsgroup. - The Keycloak LDAP provider is set to
WRITABLEmode. - LDAPS is active and reachable from Keycloak.
- However, when attempting to update a user’s password via Keycloak, I receive an
LDAP: Insufficient accesserror.
My goal : I’d like to understand the proper YunoHost-compatible method to either:
- grant the necessary LDAP write access (particularly for
userPassword) to theadmin_ldapaccount, or - create a dedicated super-admin LDAP account to manage this securely.
I understand that YunoHost uses OpenLDAP, and that modifying /etc/ldap/slapd.d manually can be risky. So before editing ACLs directly, I’d like to ask the community if there’s a clean, YunoHost-aligned way to handle this.
Thanks a lot in advance for your guidance