[keycloak-user] Can Keycloak simulate LDAP server?

Thu Oct 15 09:22:12 EDT 2015

I have a similar use case.  The current approach assumes that the LDAP
server will be available at all times.  If the LDAP server goes offline,
and a user is created, they won't be synced (as far as I'm aware).  I'm
assuming this is primarily due to the issues around transferring the
password information from keycloak to an LDAP server in a useful and
consistent way.  I think adding either an LDAP server, or at the very least
a much better API for accessing user data would be a huge win for keycloak.

We've hacked around this problem by implementing a custom apache ds
partition that uses the keycloak libraries to talk to our database.  This
is made more difficult by the way these libraries are structured.  For
example, at least as of 1.2.0, there is no way to query the database for a
list of members of a particular role.  This means that I have to build this
mapping myself, then cache it so that I don't have to wait many seconds for
every role lookup.  Also, it's not an interface that is meant for public
consumption, so it may change without warning, etc.  The solution we have
works, but certain operations are slow, and it may cause maintenance
issues.  I'm going to explore using the REST API instead, though it may not
expose enough information.

Another potential issue is the IDs assigned to users/roles.  Keycloak
currently doesn't assign IDs that would be easily mapped onto the ID space
that many systems would expect (32 bit int, or similar).  I think this
could be worked around, but it is another challenge for any universally
useful LDAP directory backed by keycloak.

On Thu, Oct 15, 2015 at 6:56 AM, Valerij Timofeev <
valerij.timofeev at gmail.com> wrote:

> The scenario where users are created in Keycloak and then synchronized to
> LDAP is clear. It is good documented.
> But what about scenario, if LDAP server setup should occur months later
> after Keycloak setup?
> Would it be possible to synchronize existing Keycloak users including
> their password to LDAP for example on successful login?
>
> 2015-10-15 12:42 GMT+02:00 Marek Posolda <mposolda at redhat.com>:
>
>> In that case, I would likely use Keycloak with LDAP federation provider,
>> which will point to some LDAP server in your environment. KC Federation
>> provider needs to be declared with editMode "WRITABLE", so all users
>> created through Keycloak will be synced to LDAP server as well including
>> their password. Then the legacy product compatible just with LDAP will
>> authenticate users against this LDAP server.
>>
>> Marek
>>
>>
>> On 15/10/15 11:41, Valerij Timofeev wrote:
>>
>> Hi all,
>>
>> we are interested to know if it is possible to authenticate users of pure
>> LDAP client against Keycloak?
>>
>> Why? We are planning to migrate legacy user storage to Keycloak and we'd
>> like to avoid dead end if for example some product (e.g. SaaS) does not
>> support user authentication against Keycloak, but does against standard
>> LDAP server.
>>
>> If it is impossible, has anybody succeeded to implement reverted
>> direction of user federation synchronization (all users data from Keycloak
>> should be copied to a fresh LDAP server installation)?
>>
>> Answers to these questions may be decisive for the Keycloak usage in our
>> organization.
>>
>> Thank you in advance
>>
>> Valerij Timofeev
>> Software Engineer
>> Trusted Shops GmbH
>>
>>
>> _______________________________________________
>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Andrew Zenk, EIT
Polar Geospatial Center
University of Minnesota
Office: (612) 625-0872
Cell: (612) 414-9617
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151015/87c57808/attachment.html 