[keycloak-user] Can Keycloak simulate LDAP server?

Valerij Timofeev valerij.timofeev at gmail.com
Fri Oct 16 08:31:57 EDT 2015


I suppose that implementing LDAP server in Keycloak is not an option for RH
because there is already FreeIPA ;-)
But unfortunately 389-DS does not support PBKDF2 algorithm and as far as I
know there are no plans for that:
https://fedorahosted.org/freeipa/ticket/4182
Are there any plans to make hash algorithms in Keycloak pluggable, in order
for example to ensure compatibility with FreeIPA and thus ease migration
path?
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html-single/Administration_Guide/index.html#Configuring_a_Global_Password_Policy_Using_the_Command_Line-Password_Policy_Attributes
- search for *passwordStorageScheme*

Instead of "exposing the whole LDAP server" would it be feasible for
Keycloak to implement SASL for using in LDAP servers instead?

Should I better ask these questions on the Keycloak developers list?

Valerij

2015-10-15 12:42 GMT+02:00 Marek Posolda <mposolda at redhat.com>:

> In that case, I would likely use Keycloak with LDAP federation provider,
> which will point to some LDAP server in your environment. KC Federation
> provider needs to be declared with editMode "WRITABLE", so all users
> created through Keycloak will be synced to LDAP server as well including
> their password. Then the legacy product compatible just with LDAP will
> authenticate users against this LDAP server.
>
> Marek
>
>
> On 15/10/15 11:41, Valerij Timofeev wrote:
>
> Hi all,
>
> we are interested to know if it is possible to authenticate users of pure
> LDAP client against Keycloak?
>
> Why? We are planning to migrate legacy user storage to Keycloak and we'd
> like to avoid dead end if for example some product (e.g. SaaS) does not
> support user authentication against Keycloak, but does against standard
> LDAP server.
>
> If it is impossible, has anybody succeeded to implement reverted direction
> of user federation synchronization (all users data from Keycloak should be
> copied to a fresh LDAP server installation)?
>
> Answers to these questions may be decisive for the Keycloak usage in our
> organization.
>
> Thank you in advance
>
> Valerij Timofeev
> Software Engineer
> Trusted Shops GmbH
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151016/29721812/attachment.html 


More information about the keycloak-user mailing list