Depends on EDIT_MODE you choose. After you add LDAP federation provider,
then with all 3 modes, you are able to authenticate existing LDAP users
with existing LDAP passwords. But when you're update password through
Keycloak admin console or account management then:
- if edit mode is READABLE, password update from Keycloak is not allowed
and it will fail with "User is read only"
- if edit mode is WRITABLE, password will be updated in LDAP. So during
next password checks, Keycloak will still use LDAP to authenticate user
against. Also all your apps integrated directly with LDAP should be able
to see newly updated password in LDAP.
- if edit mode is UNSYNCED, password will be updated in Keycloak DB, but
not in LDAP. Next password checks from Keycloak will use Keycloak DB and
hence new password. But your apps integrated directly with LDAP will
still see the old password.
Marek
On 11/02/16 02:15, chenkeong.yap(a)izeno.com wrote:
hi guys,
please assist to clarify. after adding ldap federation provider, is the password stored
in keycloak database? if yes, is there anyway to prevent sync of password?
Regards,
CK Yap
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user