Keycloak can handle responsibilities of a main user store and I would
recommend you do that. The few customers that I've seen take your
approach struggled a bit with tuning LDAP to get it to perform well.
With Keycloak only store, there's just one less moving part you have to
worry about, tune, and debug.
The disadvantage is that you'll have to migrate from Keycloak DB to LDAP
or something if you ever want to ditch Keycloak.
Another option: using the User Storage SPI you do have the option to
retain your legacy user store.
On 1/26/17 2:00 PM, Istvan Orban wrote:
Dear Keycloak users.
I am very new to keycloak and I really like it. it is great.
I am currently migrating a legacy app ( using it's own user management ) to
I have set-up keycloak with openid connect and it works very well. At this
point we need to decide
if we will use keycloak as our main user store or we will set-up an LDAP.
My question is that. Is keycloak designed in a way that it can fullfil all
the responsibilities of the main user store?
Any risk with this at all?
ps: our userbase is small and at this point I am not sure if we want to add
ldap just for this.