[keycloak-user] Can Keycloak simulate LDAP server?

Marek Posolda mposolda at redhat.com
Fri Oct 16 09:09:01 EDT 2015

On 16/10/15 14:31, Valerij Timofeev wrote:
> I suppose that implementing LDAP server in Keycloak is not an option 
> for RH because there is already FreeIPA ;-)
> But unfortunately 389-DS does not support PBKDF2 algorithm and as far 
> as I know there are no plans for that: 
> https://fedorahosted.org/freeipa/ticket/4182
> Are there any plans to make hash algorithms in Keycloak pluggable, in 
> order for example to ensure compatibility with FreeIPA and thus ease 
> migration path?
> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html-single/Administration_Guide/index.html#Configuring_a_Global_Password_Policy_Using_the_Command_Line-Password_Policy_Attributes 
> - search for *passwordStorageScheme*
Yes, it is planned to be pluggable. I think JIRA is already created AFAIK.
> Instead of "exposing the whole LDAP server" would it be feasible for 
> Keycloak to implement SASL for using in LDAP servers instead?
Maybe, but that will address just authentication to LDAP right? Not full 
user provisioning from LDAP, which is what Andrew mentioned. Btv. we 
have JAAS DirectAccessGrantsLoginModule, which allows login module 
triggered anywhere to authenticate against Keycloak with usage of Direct 
Grant API. Some docs is here: 

The Elytron project ( 
https://developer.jboss.org/wiki/WildFlyElytron-ProjectSummary ) may 
already provide SASL authentication mechanism for auth against JAAS. So 
it might be already possible to use SASL for authenticate against 
Keycloak. But I am not really sure. You can try to investigate...

> Should I better ask these questions on the Keycloak developers list?
> Valerij
> 2015-10-15 12:42 GMT+02:00 Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>>:
>     In that case, I would likely use Keycloak with LDAP federation
>     provider, which will point to some LDAP server in your
>     environment. KC Federation provider needs to be declared with
>     editMode "WRITABLE", so all users created through Keycloak will be
>     synced to LDAP server as well including their password. Then the
>     legacy product compatible just with LDAP will authenticate users
>     against this LDAP server.
>     Marek
>     On 15/10/15 11:41, Valerij Timofeev wrote:
>>     Hi all,
>>     we are interested to know if it is possible to authenticate users
>>     of pure LDAP client against Keycloak?
>>     Why? We are planning to migrate legacy user storage to Keycloak
>>     and we'd like to avoid dead end if for example some product (e.g.
>>     SaaS) does not support user authentication against Keycloak, but
>>     does against standard LDAP server.
>>     If it is impossible, has anybody succeeded to implement reverted
>>     direction of user federation synchronization (all users data from
>>     Keycloak should be copied to a fresh LDAP server installation)?
>>     Answers to these questions may be decisive for the Keycloak usage
>>     in our organization.
>>     Thank you in advance
>>     Valerij Timofeev
>>     Software Engineer
>>     Trusted Shops GmbH
>>     _______________________________________________
>>     keycloak-user mailing list
>>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151016/1e43b4a8/attachment.html 

More information about the keycloak-user mailing list