[keycloak-user] Can Keycloak simulate LDAP server?

Valerij Timofeev valerij.timofeev at gmail.com
Fri Oct 16 07:57:36 EDT 2015


Thank you, Andrew.

Your approach is an interesting option I did not consider yet.
Would be this URL  a good starting point to estimate complexity of your
approach?
https://cwiki.apache.org/confluence/display/DIRxSBOX/Draft+-+How+to+write+a+simple+custom+partition+for+ApacheDS
We don't need LDAP just at the moment. But I have to demonstrate to
decision makers in our organization that Keycloak is not a dead end user
management solution.

Have you considered normal LDAP user federation option in combination with
setting up ApacheDS to use PBKDF2 algorithm for compatibility during
migration?
https://issues.apache.org/jira/browse/DIRSERVER-1898





2015-10-15 15:22 GMT+02:00 Andrew Zenk <azenk at umn.edu>:

> I have a similar use case.  The current approach assumes that the LDAP
> server will be available at all times.  If the LDAP server goes offline,
> and a user is created, they won't be synced (as far as I'm aware).  I'm
> assuming this is primarily due to the issues around transferring the
> password information from keycloak to an LDAP server in a useful and
> consistent way.  I think adding either an LDAP server, or at the very least
> a much better API for accessing user data would be a huge win for keycloak.
>
> We've hacked around this problem by implementing a custom apache ds
> partition that uses the keycloak libraries to talk to our database.  This
> is made more difficult by the way these libraries are structured.  For
> example, at least as of 1.2.0, there is no way to query the database for a
> list of members of a particular role.  This means that I have to build this
> mapping myself, then cache it so that I don't have to wait many seconds for
> every role lookup.  Also, it's not an interface that is meant for public
> consumption, so it may change without warning, etc.  The solution we have
> works, but certain operations are slow, and it may cause maintenance
> issues.  I'm going to explore using the REST API instead, though it may not
> expose enough information.
>
> Another potential issue is the IDs assigned to users/roles.  Keycloak
> currently doesn't assign IDs that would be easily mapped onto the ID space
> that many systems would expect (32 bit int, or similar).  I think this
> could be worked around, but it is another challenge for any universally
> useful LDAP directory backed by keycloak.
>
> On Thu, Oct 15, 2015 at 6:56 AM, Valerij Timofeev <
> valerij.timofeev at gmail.com> wrote:
>
>> The scenario where users are created in Keycloak and then synchronized to
>> LDAP is clear. It is good documented.
>> But what about scenario, if LDAP server setup should occur months later
>> after Keycloak setup?
>> Would it be possible to synchronize existing Keycloak users including
>> their password to LDAP for example on successful login?
>>
>> 2015-10-15 12:42 GMT+02:00 Marek Posolda <mposolda at redhat.com>:
>>
>>> In that case, I would likely use Keycloak with LDAP federation provider,
>>> which will point to some LDAP server in your environment. KC Federation
>>> provider needs to be declared with editMode "WRITABLE", so all users
>>> created through Keycloak will be synced to LDAP server as well including
>>> their password. Then the legacy product compatible just with LDAP will
>>> authenticate users against this LDAP server.
>>>
>>> Marek
>>>
>>>
>>> On 15/10/15 11:41, Valerij Timofeev wrote:
>>>
>>> Hi all,
>>>
>>> we are interested to know if it is possible to authenticate users of
>>> pure LDAP client against Keycloak?
>>>
>>> Why? We are planning to migrate legacy user storage to Keycloak and we'd
>>> like to avoid dead end if for example some product (e.g. SaaS) does not
>>> support user authentication against Keycloak, but does against standard
>>> LDAP server.
>>>
>>> If it is impossible, has anybody succeeded to implement reverted
>>> direction of user federation synchronization (all users data from Keycloak
>>> should be copied to a fresh LDAP server installation)?
>>>
>>> Answers to these questions may be decisive for the Keycloak usage in
>>> our organization.
>>>
>>> Thank you in advance
>>>
>>> Valerij Timofeev
>>> Software Engineer
>>> Trusted Shops GmbH
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
> --
> Andrew Zenk, EIT
> Polar Geospatial Center
> University of Minnesota
> Office: (612) 625-0872
> Cell: (612) 414-9617
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151016/569e2565/attachment.html 


More information about the keycloak-user mailing list