On top of that - for client roles specifically - if a client ID is obtained from external storage, then it should be put into an attribute of that LDAP role object in unchanged string form, perhaps seeAlso attribute could be used?

Thanks, this confirms that a ID of the store that is storing the clients must be used, as it must not change over time. I was kind of expecting this, but hoping for something different. And that would be a UUID most of the time AFAIK. I wonder who decided to make the clientId changeable, I don't understand that use case yet.

For my test implementation I was using the EntryUUID to reference LDAP entities, and it would be a GUID for ActiveDirectory. My current tests show that I still need a searchDN to look up an object via that id, what is surprising to me. Let's see.

Regarding ou vs cn: I'm an LDAP beginner, yes CN would probably be it.

To me this is now answered. Will move it to answered stuff soon if there is no other comment.

Another comment on on vs cn: For a client role, the full DN would be cn=name_of_role,ou=id_of_client,dc=keycloak,dc=org. So ithe client ID would go into "ou" and the name of the role in the "cn". Please let me know what you think.

The RDN cn=name_of_role,ou=id_of_client sounds reasonable to me (as long as id_of_client is really the ID as in MapClientEntity.getId())

An example: cn=myclientrole,ou=e44b2d1c-9b00-4f22-a8c1-d0aa1c48d7fb,dc=keycloak,dc=org

where "myclientrole" is returned by role.getName(), and "e44b2d1c-9b00-4f22-a8c1-d0aa1c48d7fb" is returned by role.getClientId() (what is the same value as in client.getId())