<div dir="ltr"><div><div><div>I suppose that implementing LDAP server in Keycloak is not an option for RH because there is already FreeIPA ;-)<br></div>But unfortunately 389-DS does not support PBKDF2 algorithm and as far as I know there are no plans for that: <a href="https://fedorahosted.org/freeipa/ticket/4182">https://fedorahosted.org/freeipa/ticket/4182</a> <br><b></b></div><div>Are there any plans to make hash algorithms in Keycloak pluggable, in order for example to ensure compatibility with FreeIPA and thus ease migration path?<br><a href="https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html-single/Administration_Guide/index.html#Configuring_a_Global_Password_Policy_Using_the_Command_Line-Password_Policy_Attributes" class="" rel="nofollow">https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html-single/Administration_Guide/index.html#Configuring_a_Global_Password_Policy_Using_the_Command_Line-Password_Policy_Attributes</a> - search for <b>passwordStorageScheme</b><br></div><div><br></div>Instead of "exposing the whole LDAP server" would it be feasible for Keycloak to implement SASL for using in LDAP servers instead? <br><br>Should I better ask these questions on the Keycloak developers list?<br><br></div>Valerij<br></div><div class="gmail_extra"><br><div class="gmail_quote">2015-10-15 12:42 GMT+02:00 Marek Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div>In that case, I would likely use
Keycloak with LDAP federation provider, which will point to some
LDAP server in your environment. KC Federation provider needs to
be declared with editMode "WRITABLE", so all users created through
Keycloak will be synced to LDAP server as well including their
password. Then the legacy product compatible just with LDAP will
authenticate users against this LDAP server.<br>
<br>
Marek<div><div class="h5"><br>
<br>
On 15/10/15 11:41, Valerij Timofeev wrote:<br>
</div></div></div>
<blockquote type="cite"><div><div class="h5">
<div dir="ltr">
<div>
<div>Hi all,<br>
<br>
we are interested to know if it is possible to authenticate
users of pure LDAP client against Keycloak?<br>
<br>
Why? We are planning to migrate legacy user storage to
Keycloak and we'd like to avoid dead end if for example some
product (e.g. SaaS) does not support user authentication
against Keycloak, but does against standard LDAP server. <br>
<br>
If it is impossible, has anybody succeeded to implement
reverted direction of user federation synchronization (all
users data from Keycloak should be copied to a fresh LDAP
server installation)?<br>
<span lang="en"><span><br>
</span></span><span lang="en"><span>Answers to these questions may be</span> <span>decisive for the Keycloak usage</span> <span>in our organization.</span></span><br>
<br>
</div>
<div>Thank you in advance<br>
<br>
</div>
<div>Valerij Timofeev<br>
</div>
<div>Software Engineer<br>
</div>
<div>Trusted Shops GmbH<br>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div></div><pre>_______________________________________________
keycloak-user mailing list
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</div>
</blockquote></div><br></div>