diff --git a/deployments/examples/ocis_keycloak/config/ocis/entrypoint-override.sh b/deployments/examples/ocis_keycloak/config/ocis/entrypoint-override.sh
deleted file mode 100644
index ba7fbe47e89..00000000000
--- a/deployments/examples/ocis_keycloak/config/ocis/entrypoint-override.sh
+++ /dev/null
@@ -1,29 +0,0 @@
-#!/bin/sh
-
-set -e
-
-ocis server&
-sleep 10
-
-# stop builtin IDP since we use Keycloak as a replacement
-#ocis kill idp
-
-echo "##################################################"
-echo "change default secrets:"
-
-ocis accounts update --password $STORAGE_LDAP_BIND_PASSWORD bc596f3c-c955-4328-80a0-60d018b4ad57 # REVA
-
-echo "##################################################"
-
-echo "##################################################"
-echo "delete demo users" # users are provided by keycloak
-
-set +e # accounts can only delete once, so it will fail the second time
-# only admin, IDP and REVA user will be created because of ACCOUNTS_DEMO_USERS_AND_GROUPS=false
-ocis accounts remove  820ba2a1-3f54-4538-80a4-2d73007e30bf # IDP user
-ocis accounts remove ddc2004c-0977-11eb-9d3f-a793888cd0f8 # admin
-set -e
-
-echo "##################################################"
-
-wait # wait for oCIS to exit
diff --git a/deployments/examples/ocis_keycloak/docker-compose.yml b/deployments/examples/ocis_keycloak/docker-compose.yml
index c847db80160..f6bbd466f81 100644
--- a/deployments/examples/ocis_keycloak/docker-compose.yml
+++ b/deployments/examples/ocis_keycloak/docker-compose.yml
@@ -49,7 +49,10 @@ services:
       ocis-net:
     entrypoint:
       - /bin/sh
-      - /entrypoint-override.sh
+    # run ocis init to initialize a configuration file with random secrets
+    # it will fail on subsequent runs, because the config file already exists
+    # therefore we ignore the error and then start the ocis server
+    command: ["-c", "ocis init || true; ocis server"]
     environment:
       # Keycloak IDP specific configuration
       PROXY_AUTOPROVISION_ACCOUNTS: "true"
@@ -64,7 +67,6 @@ services:
       OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose
       PROXY_TLS: "false" # do not use SSL between Traefik and oCIS
       # demo users
-      ACCOUNTS_DEMO_USERS_AND_GROUPS: "${DEMO_USERS:-false}"  # deprecated, remove after switching to LibreIDM
       IDM_CREATE_DEMO_USERS: "${DEMO_USERS:-false}"
       # change default secrets
       IDP_LDAP_BIND_PASSWORD: ${IDP_LDAP_BIND_PASSWORD:-idp}
@@ -75,7 +77,6 @@ services:
       # INSECURE: needed if oCIS / Traefik is using self generated certificates
       OCIS_INSECURE: "${INSECURE:-false}"
     volumes:
-      - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh
       - ocis-data:/var/lib/ocis
     labels:
       - "traefik.enable=true"