[keycloak-user] Can Keycloak simulate LDAP server?

Valerij Timofeev valerij.timofeev at gmail.com
Fri Oct 16 09:47:40 EDT 2015

Thank you, Marek.

I've found the ticket you probably mean:"Pluggable password hashing
algorithm" https://issues.jboss.org/browse/KEYCLOAK-1900

I think that I have now together with JAAS/SASL enough options to convince
my bosses to adopt Keycloak


2015-10-16 15:09 GMT+02:00 Marek Posolda <mposolda at redhat.com>:

> On 16/10/15 14:31, Valerij Timofeev wrote:
> I suppose that implementing LDAP server in Keycloak is not an option for
> RH because there is already FreeIPA ;-)
> But unfortunately 389-DS does not support PBKDF2 algorithm and as far as I
> know there are no plans for that:
> <https://fedorahosted.org/freeipa/ticket/4182>
> https://fedorahosted.org/freeipa/ticket/4182
> Are there any plans to make hash algorithms in Keycloak pluggable, in
> order for example to ensure compatibility with FreeIPA and thus ease
> migration path?
> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html-single/Administration_Guide/index.html#Configuring_a_Global_Password_Policy_Using_the_Command_Line-Password_Policy_Attributes
> - search for *passwordStorageScheme*
> Yes, it is planned to be pluggable. I think JIRA is already created AFAIK.
> Instead of "exposing the whole LDAP server" would it be feasible for
> Keycloak to implement SASL for using in LDAP servers instead?
> Maybe, but that will address just authentication to LDAP right? Not full
> user provisioning from LDAP, which is what Andrew mentioned. Btv. we have
> JAAS DirectAccessGrantsLoginModule, which allows login module triggered
> anywhere to authenticate against Keycloak with usage of Direct Grant API.
> Some docs is here:
> http://keycloak.github.io/docs/userguide/html/ch08.html#jaas-adapter
> The Elytron project (
> https://developer.jboss.org/wiki/WildFlyElytron-ProjectSummary ) may
> already provide SASL authentication mechanism for auth against JAAS. So it
> might be already possible to use SASL for authenticate against Keycloak.
> But I am not really sure. You can try to investigate...
> Marek
> Should I better ask these questions on the Keycloak developers list?
> Valerij
> 2015-10-15 12:42 GMT+02:00 Marek Posolda <mposolda at redhat.com>:
>> In that case, I would likely use Keycloak with LDAP federation provider,
>> which will point to some LDAP server in your environment. KC Federation
>> provider needs to be declared with editMode "WRITABLE", so all users
>> created through Keycloak will be synced to LDAP server as well including
>> their password. Then the legacy product compatible just with LDAP will
>> authenticate users against this LDAP server.
>> Marek
>> On 15/10/15 11:41, Valerij Timofeev wrote:
>> Hi all,
>> we are interested to know if it is possible to authenticate users of pure
>> LDAP client against Keycloak?
>> Why? We are planning to migrate legacy user storage to Keycloak and we'd
>> like to avoid dead end if for example some product (e.g. SaaS) does not
>> support user authentication against Keycloak, but does against standard
>> LDAP server.
>> If it is impossible, has anybody succeeded to implement reverted
>> direction of user federation synchronization (all users data from Keycloak
>> should be copied to a fresh LDAP server installation)?
>> Answers to these questions may be decisive for the Keycloak usage in our
>> organization.
>> Thank you in advance
>> Valerij Timofeev
>> Software Engineer
>> Trusted Shops GmbH
>> _______________________________________________
>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151016/3edd806b/attachment-0001.html 

More information about the keycloak-user mailing list