Thanks for the info.
Is it possible then to do the following
1, several users are created in keycloak during 1 or 2 year period let's
say 4000
3, existing users are exported from keycloak
4, users are imported into ldap
5, later down the line an ldap federation is added which is connected to
the new ldap
6, what sort of SPI do I need to write in order to link the existing
keycloak users to the ldap federation provider ?
is this possible ?
thanks a lot !
3, link the user from Java code somehow so that it
Date: Fri, 27 Jan 2017 19:14:47 -0500
From: Bill Burke <bburke(a)redhat.com>
Subject: Re: [keycloak-user] user storage ldap or keycloak
To: Marek Posolda <mposolda(a)redhat.com>, keycloak-user(a)lists.jboss.org
Message-ID: <ae08ac3f-a547-8e45-c6d5-c6d14c8b9d91(a)redhat.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
> Users have to be linked to sync.
On 1/27/17 3:25 PM, Marek Posolda wrote:
> Bill, do we have OOTB support for the usecase, when you have just
> local Keycloak users. Then at some point you want to add LDAP (or any
> other provider) and then sync existing Keycloak users to that
> StorageProvider? I guess not?
>
> Marek
>
>
> On 27/01/17 15:25, Bill Burke wrote:
>> I have no idea on the passwords. It is a standard algorithm we use.
>> But you could might be able to a) use keycloak stored passwords, b)
>> require password update, c) store new passwords in LDAP as they are
>> updated and entered.
>>
>>
>> On 1/27/17 2:48 AM, Istvan Orban wrote:
>>> Thanks for this. I am glad to hear it. it can be our central user
>>> store.
>>>
>>> I am wondering about one single question. Suppose down the line we
>>> want to
>>> upgrade to LDAP sometime in the future. Of course we can export the
>>> user
>>> data but the passwords are hashed.
>>>
>>> Will be able to import users into an LDAP store without having to reset
>>> every single user's password ?
>>>
>>> Thanks a lot!
>>>
>>> ------------------------------
>>>> Message: 4
>>>> Date: Thu, 26 Jan 2017 14:14:36 -0500
>>>> From: Bill Burke <bburke(a)redhat.com>
>>>> Subject: Re: [keycloak-user] user storage ldap or keycloak
>>>> To: keycloak-user(a)lists.jboss.org
>>>> Message-ID: <1424da64-3570-39ba-8200-1e3fb95716f9(a)redhat.com>
>>>> Content-Type: text/plain; charset=windows-1252; format=flowed
>>>>
>>>> Keycloak can handle responsibilities of a main user store and I would
>>>> recommend you do that. The few customers that I've seen take your
>>>> approach struggled a bit with tuning LDAP to get it to perform well.
>>>> With Keycloak only store, there's just one less moving part you
>>>> have to
>>>> worry about, tune, and debug.
>>>>
>>>> The disadvantage is that you'll have to migrate from Keycloak DB to
>>>> LDAP
>>>> or something if you ever want to ditch Keycloak.
>>>>
>>>> Another option: using the User Storage SPI you do have the option to
>>>> retain your legacy user store.
>>>>
>>>>
>>>> On 1/26/17 2:00 PM, Istvan Orban wrote:
>>>>> Dear Keycloak users.
>>>>>
>>>>> I am very new to keycloak and I really like it. it is great.
>>>>>
>>>>> I am currently migrating a legacy app ( using it's own user
>>>>> management
>>>> ) to
>>>>> support SSO.
>>>>>
>>>>> I have set-up keycloak with openid connect and it works very well.
At
>>>> this
>>>>> point we need to decide
>>>>> if we will use keycloak as our main user store or we will set-up
>>>>> an LDAP
>>>> .
>>>>> My question is that. Is keycloak designed in a way that it can
>>>>> fullfil
>>>> all
>>>>> the responsibilities of the main user store?
>>>>>
>>>>> Any risk with this at all?
>>>>>
>>>>> ps: our userbase is small and at this point I am not sure if we
>>>>> want to
>>>> add
>>>>> ldap just for this.
>>>>>
>>>>>
>>>>>
>>>
>>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>