Hi,
On 25/10/18 08:31, Vivek Aggarwal wrote:
Hi Team,
We've started exploring KeyCloak from Identity & Access Management
perspective & intended to integrate it with various other tools like
Jenkins Console, Mongo Console , Linux user administration etc.
But have related concern, currently we're unable to figure out that how can
we use KeyCloak as a LDAP for Linux machines , for instance can we
integrate it with our Linux Machines to manage SSH users ?
Keycloak itself is not
LDAP server. However Keycloak can be integrated
with the LDAP server, so that Keycloak uses LDAP server to authenticate
users.
With that in mind, I think you can indirectly achieve what you want. You
just need to integrate Keycloak with the LDAP and configure it with
editMode WRITABLE. And you will integrate same LDAP for your linux/SSH
authentication. This means that if you create new user in Keycloak, this
user will be propagated to the LDAP and so he can also authenticate to
SSH/Linux through the usage of same LDAP server like Keycloak is using.
And related question , we've read somewhere in the community forums that
KeyCloak is not meant for LDAP ,well in that case how we're able to manage
users for Jenkins console using KeyCloak.Currently we've successfully
integrated Keycloak with Jenkins console . Is it not acting as LDAP for
Jenkins console ?
I guess you integrated jenkins to use Keycloak for
authentication. In
that case, you can either:
- Manage users just through the Keycloak console and never from jenkins
console. The updates from Keycloak will be propagated to LDAP. So this
way, it will ensure that users will be able to authenticate to jenkins
and jenkins will see latest user profile info from Keycloak/LDAP
- Manage users through the Jenkins. I assume your Jenkins will write
users to LDAP then. In Keycloak, you will then also see the updated user
as Keycloak uses LDAP as a source of the info. However you may need to
adjust caching policies on Keycloak side due to this to see the updates
on Keycloak side immediatelly (see docs for more details). So maybe I
would personally prefer the option 1 if possible.
Marek
Kindly help in understand the above concerns & suggest if there are any
recommendations.
regards
Vivek
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user