Keycloak: 'Master' Realm with User Federation

I was dabbling with Univention’s Keycloak app to use keyloak as an auth backend for a diferent project. However I had a hard time getting things to work: Setting up a new realm would work but I couldn’t setup realm users with the role of a realm-admin which renders the new realm useless.

Essentially this is because the the keycloak app sets up the master-realm with a user federation with UCS’ ldap. And incorrectly. Incorrectly because by default it’s has StartTLS enabled with the non-TLS port configured (thanks to @hasechris02 for finding this one out: Error in Keycloak LDAP Query - TLS Problem to LDAP - #2 by hasechris92 ). As far as my Keycloak-foo goes, this meant that the Keycloak admin (master realm) doesn’t have the privs to issue out realm admin permissions to users.

One thing I don’t get is, why is the master realm configured with a user federation and what does it mean if I turn this off. I would have assumed that the master realm is not connected to the ldap – keycloaks admin account’s creds are stored independantly as well.

(Just for reference: The attached screenshot shows the error message in the default install when I try to search for users in the demo realm (“unexpected non-whitespace character after JSON data at line 1 column 330 of the JSON data”).)