[keycloak-user] Will Keycloak scale to handle hundreads of LDAP integrations?

atx at binaryninja.de atx at binaryninja.de
Sun Jun 17 04:05:37 EDT 2018 

Hey there,

we had a somewhat similar issue with the LDAP integration, that comes 
out of the box, since our users are also stored in many different LDAPs 
and in addtion needed to be merged, since the information in both LDAPs 
was redundant... we ended up in writing our own LDAP SPI. It was easier 
as expected.

But reading your request, I wonder if you should have ONE Realm with 
hundreds of customer LDAPs in it? Even with universities they tend to 
have at most a couple of LDAPs. I would guess you wan't one realm per 
customer?

BR


Am 15.06.2018 um 11:36 schrieb Filipe Abrahao:
> Thank you for your help. I am not very sure how to proceed to be honest, I
> will report back to the team.
>
> In mean while we are going to continue to experiment with it.
>
> Thank you again.
>
>
> On 14 June 2018 at 21:27:56, Stian Thorgersen (sthorger at redhat.com) wrote:
>
> If you use login only with email and all users for the same LDAP server has
> the same domain (user at ldap-1.com, etc.) then we could add config to the
> LDAP that only matches certain emails. As you proposed it may also be able
> to somehow autodetect that.
>
> On 14 June 2018 at 17:48, Hammarberg, Daniel <
> daniel.hammarberg at capgemini.com> wrote:
>
>> Hi all,
>>
>> One more thing to keep in mind is that Keycloak only allows an email
>> address to be used once in every realm. So if a user has the same email
>> address across several ldap servers, it might cause you some problems if
>> all users are in the same realm. I presume the same limitation goes for
>> user names.
>>
>> Cheers
>> /Daniel
>>
>> _______________________________________________________________________
>> Daniel Hammarberg
>> Managing Delivery Architect | Application Services
>>
>> Capgemini Sweden | Göteborg
>> www.capgemini.com
>> _______________________________________________________________________
>> Connect with Capgemini:
>>
>>
>>
>> -----Original Message-----
>> From: Stian Thorgersen <sthorger at redhat.com>
>> Sent: den 14 juni 2018 14:35
>> To: Filipe Abrahao
>> Cc: keycloak-user
>> Subject: Re: [keycloak-user] Will Keycloak scale to handle hundreads of
>> LDAP integrations?
>>
>> Are you planning to have a single realm?
>>
>> The way users are retrieved when there is multiple LDAP servers is
>> currently quite limited. It will simply search through them in order until
>> the user is found. Once found a user with the link to the correct LDAP
> will
>> be setup. With hundreds of LDAP connections this will most likely be
> rather
>> slow.
>>
>> It's also not a scenario we've tested so you would have to test and
>> experiment with this yourself.
>>
>> On 14 June 2018 at 14:30, Filipe Abrahao <lfa at doodle.com> wrote:
>>
>>> Hi everyone,
>>>
>>> I work at Doodle, an online platform to help people to schedule
>>> meetings and social events, we have around 28m people that use our
>>> product every month and we are in the process of splitting our monolith.
>>>
>>> We have been experimenting with Keycloak as our auth service, and so
>>> far we are pretty happy with it, we just making sure it fulfils all
>>> our requirements, but we have one that we are not sure if it would
>>> work with
>>> Keycloak:
>>>
>>> Some of our bigger users, like universities and big corporations
>>> require to manage their users via LDAP. We know that Keycloak can
>> integrate with LDAP.
>>> But my question is if creating one LDAP configuration for each client
>>> is the right way to do it.
>>>
>>> If we have to configure one LDAP integration for each client that
>>> requires it, we potentially will end-up with hundreds (perhaps
>> thousands) of them.
>>> Will it scale? Will Keycloak be able to handle that?
>>>
>>> many thanks,
>>> Filipe A
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>> ________________________________
>>
>> Capgemini is a trading name used by the Capgemini Group of companies which
>> includes Capgemini Sverige AB, a company registered in Sweden (number
>> 556092-3053) whose registered office is at Gustavslundsvägen 131 Box 825 –
>> S-161 24 Bromma.
>> This message contains information that may be privileged or confidential
>> and is the property of the Capgemini Group. It is intended only for the
>> person to whom it is addressed. If you are not the intended recipient, you
>> are not authorized to read, print, retain, copy, disseminate, distribute,
>> or use this message or any part thereof. If you receive this message in
>> error, please notify the sender immediately and delete all copies of this
>> message.
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list