[keycloak-user] Active Directory
Marek Posolda
mposolda at redhat.com
Wed Jun 22 10:23:25 EDT 2016
On 21/06/16 10:21, Christopher Davies wrote:
> I am looking to use KeyCloak backed by an AD server.
> Can I check a few things that I understand are correct.
>
> 1) Using the User Federation SPI I import the following from
> ActiveDirectory into the KeyCloak database : first name, surname,
> email, username and password.
By default you are importing first name, surname, email and username.
You can import more attributes by creating additional LDAP mappers. But
no password imported from MSAD to Keycloak DB
> 2) Password checks are made against the Keycloak database and not the
> ActiveDirectory system
No, password checks are made against ActiveDirectory. Just if you have
editMode UNSYNCED and you change the password of the user (or he change
it himself in account management), then the new password will be saved
into Keycloak DB and will be used in favor of the old password from MSAD.
> 3) Enabling kerberos authentication will allow me to do paswordless
> login using my web browser from my windows box
Yes. See our Kerberos documentation for more details [1].
[1]
https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/authentication/kerberos.html
Marek
>
> Hope I am not to far from the mark
>
> Chris
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160622/3d91f0bb/attachment-0001.html
More information about the keycloak-user
mailing list