<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 16/10/15 14:31, Valerij Timofeev
wrote:<br>
</div>
<blockquote
cite="mid:CAOy2obHN8HLjncL3SoL6R_NimWkPJu2LeaQzOqyOrKpUUvjntQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<div>I suppose that implementing LDAP server in Keycloak is
not an option for RH because there is already FreeIPA ;-)<br>
</div>
But unfortunately 389-DS does not support PBKDF2 algorithm
and as far as I know there are no plans for that: <a
moz-do-not-send="true"
href="https://fedorahosted.org/freeipa/ticket/4182"><a class="moz-txt-link-freetext" href="https://fedorahosted.org/freeipa/ticket/4182">https://fedorahosted.org/freeipa/ticket/4182</a></a>
<br>
</div>
<div>Are there any plans to make hash algorithms in Keycloak
pluggable, in order for example to ensure compatibility with
FreeIPA and thus ease migration path?<br>
<a moz-do-not-send="true"
href="https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html-single/Administration_Guide/index.html#Configuring_a_Global_Password_Policy_Using_the_Command_Line-Password_Policy_Attributes"
class="" rel="nofollow">https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html-single/Administration_Guide/index.html#Configuring_a_Global_Password_Policy_Using_the_Command_Line-Password_Policy_Attributes</a>
- search for <b>passwordStorageScheme</b><br>
</div>
</div>
</div>
</blockquote>
Yes, it is planned to be pluggable. I think JIRA is already created
AFAIK.<br>
<blockquote
cite="mid:CAOy2obHN8HLjncL3SoL6R_NimWkPJu2LeaQzOqyOrKpUUvjntQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div><br>
</div>
Instead of "exposing the whole LDAP server" would it be
feasible for Keycloak to implement SASL for using in LDAP
servers instead? <br>
</div>
</div>
</blockquote>
Maybe, but that will address just authentication to LDAP right? Not
full user provisioning from LDAP, which is what Andrew mentioned.
Btv. we have JAAS DirectAccessGrantsLoginModule, which allows login
module triggered anywhere to authenticate against Keycloak with
usage of Direct Grant API. Some docs is here:
<a class="moz-txt-link-freetext" href="http://keycloak.github.io/docs/userguide/html/ch08.html#jaas-adapter">http://keycloak.github.io/docs/userguide/html/ch08.html#jaas-adapter</a><br>
<br>
The Elytron project (
<a class="moz-txt-link-freetext" href="https://developer.jboss.org/wiki/WildFlyElytron-ProjectSummary">https://developer.jboss.org/wiki/WildFlyElytron-ProjectSummary</a> ) may
already provide SASL authentication mechanism for auth against JAAS.
So it might be already possible to use SASL for authenticate against
Keycloak. But I am not really sure. You can try to investigate...<br>
<br>
Marek<br>
<blockquote
cite="mid:CAOy2obHN8HLjncL3SoL6R_NimWkPJu2LeaQzOqyOrKpUUvjntQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><br>
Should I better ask these questions on the Keycloak developers
list?<br>
<br>
</div>
Valerij<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2015-10-15 12:42 GMT+02:00 Marek
Posolda <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div>In that case, I would likely use Keycloak with LDAP
federation provider, which will point to some LDAP
server in your environment. KC Federation provider needs
to be declared with editMode "WRITABLE", so all users
created through Keycloak will be synced to LDAP server
as well including their password. Then the legacy
product compatible just with LDAP will authenticate
users against this LDAP server.<br>
<br>
Marek
<div>
<div class="h5"><br>
<br>
On 15/10/15 11:41, Valerij Timofeev wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div class="h5">
<div dir="ltr">
<div>
<div>Hi all,<br>
<br>
we are interested to know if it is possible to
authenticate users of pure LDAP client against
Keycloak?<br>
<br>
Why? We are planning to migrate legacy user
storage to Keycloak and we'd like to avoid
dead end if for example some product (e.g.
SaaS) does not support user authentication
against Keycloak, but does against standard
LDAP server. <br>
<br>
If it is impossible, has anybody succeeded to
implement reverted direction of user
federation synchronization (all users data
from Keycloak should be copied to a fresh LDAP
server installation)?<br>
<span lang="en"><span><br>
</span></span><span lang="en"><span>Answers
to these questions may be</span> <span>decisive
for the Keycloak usage</span> <span>in
our organization.</span></span><br>
<br>
</div>
<div>Thank you in advance<br>
<br>
</div>
<div>Valerij Timofeev<br>
</div>
<div>Software Engineer<br>
</div>
<div>Trusted Shops GmbH<br>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<pre>_______________________________________________
keycloak-user mailing list
<a moz-do-not-send="true" href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a moz-do-not-send="true" href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>