On 21/06/16 10:21, Christopher Davies
By default you are importing first name, surname, email and
username. You can import more attributes by creating additional LDAP
mappers. But no password imported from MSAD to Keycloak DB
I am looking to use KeyCloak backed by an AD
Can I check a few things that I understand are correct.
1) Using the User Federation SPI I import the following
from ActiveDirectory into the KeyCloak database : first name,
surname, email, username and password.
No, password checks are made against ActiveDirectory. Just if you
have editMode UNSYNCED and you change the password of the user (or
he change it himself in account management), then the new password
will be saved into Keycloak DB and will be used in favor of the old
password from MSAD.
2) Password checks are made against the Keycloak database
and not the ActiveDirectory
Yes. See our Kerberos documentation for more details .
3) Enabling kerberos authentication will allow me to do
paswordless login using my web browser from my windows box
Hope I am not to far from the mark
keycloak-user mailing list