Before reporting an issue

• I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

admin/api

Describe the bug

With LDAP User Federation configured with cache, first GET /admin/realms/master/users response is slow if max parameter is large – it takes over 3 minutes with ?max=8000. All users are already synced into keycloak database before issuing the request.

Version

26.3.3 and git version 1eba022

Regression

• The issue is a regression

Expected behavior

Response should be much faster. With cache disabled, it consistently takes 4s to get 8000 users.

Actual behavior

LDAP Federation with Cache Settings = DEFAULT, and all users already synced,
GET /admin/realms/master/users?max=8000 takes more than 3 minutes.
Subsequent responses from cache are fast and take ~1s.

How to Reproduce?

LDAP instance with large number of users is required. It needs to be added in User Federation. All settings can be left default, except for connection settings in sections Connection and authentication and LDAP searching and updating.

Cache setting is crucial. Cache needs to be active to reproduce the problem.

It's best to sync users from LDAP into keycloak DB before trying to get users
to avoid LDAP importing noise.

Anything else?

I generated FlameGraph with VisualVM, but were unable to understand how to fix this cache issue.