[keycloak-user] [KeyCloak] - LDAP Query

Marek Posolda mposolda at redhat.com
Thu Oct 25 05:38:11 EDT 2018 

Hi,

On 25/10/18 08:31, Vivek Aggarwal wrote:
> Hi Team,
>
> We've started exploring KeyCloak from Identity & Access Management
> perspective &  intended to integrate it with various  other tools like
> Jenkins Console, Mongo Console , Linux user administration etc.
>
> But have related concern, currently we're unable to figure out that how can
> we use KeyCloak as a LDAP for Linux machines , for instance can we
> integrate it with our Linux Machines to manage SSH users ?
Keycloak itself is not LDAP server. However Keycloak can be integrated 
with the LDAP server, so that Keycloak uses LDAP server to authenticate 
users.

With that in mind, I think you can indirectly achieve what you want. You 
just need to integrate Keycloak with the LDAP and configure it with 
editMode WRITABLE. And you will integrate same LDAP for your linux/SSH 
authentication. This means that if you create new user in Keycloak, this 
user will be propagated to the LDAP and so he can also authenticate to 
SSH/Linux through the usage of same LDAP server like Keycloak is using.
>
> And related question , we've read somewhere in the community forums that
> KeyCloak is not meant for LDAP ,well in that case how we're able to manage
> users for Jenkins console using  KeyCloak.Currently we've successfully
> integrated Keycloak with Jenkins console . Is it not acting as LDAP for
> Jenkins console ?
I guess you integrated jenkins to use Keycloak for authentication. In 
that case, you can either:
- Manage users just through the Keycloak console and never from jenkins 
console. The updates from Keycloak will be propagated to LDAP. So this 
way, it will ensure that users will be able to authenticate to jenkins 
and jenkins will see latest user profile info from Keycloak/LDAP
- Manage users through the Jenkins. I assume your Jenkins will write 
users to LDAP then. In Keycloak, you will then also see the updated user 
as Keycloak uses LDAP as a source of the info. However you may need to 
adjust caching policies on Keycloak side due to this to see the updates 
on Keycloak side immediatelly (see docs for more details). So maybe I 
would personally prefer the option 1 if possible.

Marek
>
> Kindly help in understand the above concerns & suggest if there are any
> recommendations.
>
>
> regards
> Vivek
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list