[keycloak-user] [KeyCloak] - LDAP Query
Marek Posolda
mposolda at redhat.com
Thu Oct 25 05:38:11 EDT 2018
Hi,
On 25/10/18 08:31, Vivek Aggarwal wrote:
> Hi Team,
>
> We've started exploring KeyCloak from Identity & Access Management
> perspective & intended to integrate it with various other tools like
> Jenkins Console, Mongo Console , Linux user administration etc.
>
> But have related concern, currently we're unable to figure out that how can
> we use KeyCloak as a LDAP for Linux machines , for instance can we
> integrate it with our Linux Machines to manage SSH users ?
Keycloak itself is not LDAP server. However Keycloak can be integrated
with the LDAP server, so that Keycloak uses LDAP server to authenticate
users.
With that in mind, I think you can indirectly achieve what you want. You
just need to integrate Keycloak with the LDAP and configure it with
editMode WRITABLE. And you will integrate same LDAP for your linux/SSH
authentication. This means that if you create new user in Keycloak, this
user will be propagated to the LDAP and so he can also authenticate to
SSH/Linux through the usage of same LDAP server like Keycloak is using.
>
> And related question , we've read somewhere in the community forums that
> KeyCloak is not meant for LDAP ,well in that case how we're able to manage
> users for Jenkins console using KeyCloak.Currently we've successfully
> integrated Keycloak with Jenkins console . Is it not acting as LDAP for
> Jenkins console ?
I guess you integrated jenkins to use Keycloak for authentication. In
that case, you can either:
- Manage users just through the Keycloak console and never from jenkins
console. The updates from Keycloak will be propagated to LDAP. So this
way, it will ensure that users will be able to authenticate to jenkins
and jenkins will see latest user profile info from Keycloak/LDAP
- Manage users through the Jenkins. I assume your Jenkins will write
users to LDAP then. In Keycloak, you will then also see the updated user
as Keycloak uses LDAP as a source of the info. However you may need to
adjust caching policies on Keycloak side due to this to see the updates
on Keycloak side immediatelly (see docs for more details). So maybe I
would personally prefer the option 1 if possible.
Marek
>
> Kindly help in understand the above concerns & suggest if there are any
> recommendations.
>
>
> regards
> Vivek
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list