I have been testing the Keycloak LDAP Identity provider integration. It works well for my needs when all servers are up and contactable. However when a server goes down is when things seem to deviate from my expectations. I have seen two cases that do this.

Scenario 1: Multiple LDAP servers for the same AD Domain specified in the ldaps connection string.
If I have a LDAP connection string that specifies three hosts (All Windows DCs for the same Domain) separated by spaces such as
ldaps://ad001 ldaps://ad002 ldaps://ad003
then it appears that if ad001 goes down, Keycloak cannot access the LDAP store even though ad002 and ad003 are available. I had expected that keycloak would try other hosts in the list if ad001 fails. This does not appear to be the case.

Scenario 2: Multiple LDAP providers configured for different AD Domains.
Keycloak allows multiple LDAP providers to be created. It will connect to each server and replicate users. This works fine until either one of the servers used for LDAP cannot be contacted. If one server is not able to be contacted then both LDAP connections fail. This means that users that are being sourced from the server that is online cannot authenticate. My expectation was that these integrations should not impact each other.

I wanted to see if I had missed a configuration step and if other people had / are experiencing these issues. If this is a bug would anybody have any concerns accepting a fix for this assuming it meets all of the other technical requirements.