On 21/06/16 10:21, Christopher Davies wrote:
I am looking to use KeyCloak backed by an AD server.
Can I check a few things that I understand are correct.
1) Using the User Federation SPI I import the following from
ActiveDirectory into the KeyCloak database : first name, surname,
email, username and password.
By default you are importing first name, surname,
email and username.
You can import more attributes by creating additional LDAP mappers. But
no password imported from MSAD to Keycloak DB
2) Password checks are made against the Keycloak database and not the
No, password checks are made against ActiveDirectory. Just
if you have
editMode UNSYNCED and you change the password of the user (or he change
it himself in account management), then the new password will be saved
into Keycloak DB and will be used in favor of the old password from MSAD.
3) Enabling kerberos authentication will allow me to do paswordless
login using my web browser from my windows box
Yes. See our Kerberos documentation
for more details .
Hope I am not to far from the mark
keycloak-user mailing list