[keycloak-user] Can Keycloak simulate LDAP server?
valerij.timofeev at gmail.com
Fri Oct 16 09:47:40 EDT 2015
Thank you, Marek.
I've found the ticket you probably mean:"Pluggable password hashing
I think that I have now together with JAAS/SASL enough options to convince
my bosses to adopt Keycloak
2015-10-16 15:09 GMT+02:00 Marek Posolda <mposolda at redhat.com>:
> On 16/10/15 14:31, Valerij Timofeev wrote:
> I suppose that implementing LDAP server in Keycloak is not an option for
> RH because there is already FreeIPA ;-)
> But unfortunately 389-DS does not support PBKDF2 algorithm and as far as I
> know there are no plans for that:
> Are there any plans to make hash algorithms in Keycloak pluggable, in
> order for example to ensure compatibility with FreeIPA and thus ease
> migration path?
> - search for *passwordStorageScheme*
> Yes, it is planned to be pluggable. I think JIRA is already created AFAIK.
> Instead of "exposing the whole LDAP server" would it be feasible for
> Keycloak to implement SASL for using in LDAP servers instead?
> Maybe, but that will address just authentication to LDAP right? Not full
> user provisioning from LDAP, which is what Andrew mentioned. Btv. we have
> JAAS DirectAccessGrantsLoginModule, which allows login module triggered
> anywhere to authenticate against Keycloak with usage of Direct Grant API.
> Some docs is here:
> The Elytron project (
> https://developer.jboss.org/wiki/WildFlyElytron-ProjectSummary ) may
> already provide SASL authentication mechanism for auth against JAAS. So it
> might be already possible to use SASL for authenticate against Keycloak.
> But I am not really sure. You can try to investigate...
> Should I better ask these questions on the Keycloak developers list?
> 2015-10-15 12:42 GMT+02:00 Marek Posolda <mposolda at redhat.com>:
>> In that case, I would likely use Keycloak with LDAP federation provider,
>> which will point to some LDAP server in your environment. KC Federation
>> provider needs to be declared with editMode "WRITABLE", so all users
>> created through Keycloak will be synced to LDAP server as well including
>> their password. Then the legacy product compatible just with LDAP will
>> authenticate users against this LDAP server.
>> On 15/10/15 11:41, Valerij Timofeev wrote:
>> Hi all,
>> we are interested to know if it is possible to authenticate users of pure
>> LDAP client against Keycloak?
>> Why? We are planning to migrate legacy user storage to Keycloak and we'd
>> like to avoid dead end if for example some product (e.g. SaaS) does not
>> support user authentication against Keycloak, but does against standard
>> LDAP server.
>> If it is impossible, has anybody succeeded to implement reverted
>> direction of user federation synchronization (all users data from Keycloak
>> should be copied to a fresh LDAP server installation)?
>> Answers to these questions may be decisive for the Keycloak usage in our
>> Thank you in advance
>> Valerij Timofeev
>> Software Engineer
>> Trusted Shops GmbH
>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the keycloak-user