2017-11-09 8:53 GMT+01:00 Marek Posolda <mposolda(a)redhat.com>:
Maybe yes, but I am not sure. I can also see some cons/limitations of the
"LDAP Connection dedicated to the user" approach like:
- Admin requests will still need to use the global federation connection.
For example when admin updates user attributes (or user password) from the
Keycloak admin console. The LDAP connection would need to be the "global"
federation connection. In case that global connection is the anonymous
connection, it won't work.
- Performance: With the federation connection used everywhere, there is
single LDAP connection pool and all the requests can use the cached
connections from this pool. With connections dedicated to each user, the
connections can't be reused, hence lots of connection open/close.
Right, I was thinking egoistically about my use case, where keycloak
is used only for the authentication/authorization mechanism and not
for account management.
Actually, like Rafel proposed, you could just update the credential
with an user bound connection.