[keycloak-user] To LDAP or NOT?

Marek Posolda mposolda at redhat.com
Tue Dec 22 15:01:57 EST 2015 

You can plug LDAP into Keycloak as user federation provider (See 
Keycloak docs), but still Keycloak also needs to store users in it's 
internal database. That's because Keycloak has various user's internal 
metadata specific to it's logic. So usually just some parts of user are 
stored in LDAP (you can control with LDAP mappers what exactly), but all 
the other stuff is used in Keycloak database.

Integrating Keycloak with LDAP is useful especially in case that you have:
- Existing user base stored in LDAP
- Other systems or applications, which are compatible with LDAP and 
needs to read user informations from there

If none of those is applicable for you, then it's best to skip LDAP and 
just use Keycloak internal database. There is no need to store info 
about user accounts in 2 places if there is no reason for that.

Marek

On 22/12/15 14:51, Christopher Wallace wrote:
> We are building a new application with RBAC Security Model, we always 
> attempt to use as much COTs functionality of our technology stack as 
> possible. We are working with 1.7 version of KEYCLOAK for SSO (Thank 
> you for this product by the way) We are at a decision point of where 
> to persist our users, roles and permissions. We considered LDAP, but 
> then with the introduction of composite roles into KEYCLOAK there was 
> consolidation could we support users and roles directly in KEYCLOAK 
> and permissions in our datastore. My question to the group what is the 
> best practice? Is there value in having the additional LDAP user 
> repository? Most places my experience is there is both LDAP or AD and 
> SSO I wanted to keep the email fairly short, but if you have 
> additional questions please feel free.
>
> Thank You!
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151222/bd09aa7b/attachment.html

More information about the keycloak-user mailing list