[keycloak-user] ldap federation provider
Marek Posolda
mposolda at redhat.com
Thu Feb 11 03:26:13 EST 2016
Depends on EDIT_MODE you choose. After you add LDAP federation provider,
then with all 3 modes, you are able to authenticate existing LDAP users
with existing LDAP passwords. But when you're update password through
Keycloak admin console or account management then:
- if edit mode is READABLE, password update from Keycloak is not allowed
and it will fail with "User is read only"
- if edit mode is WRITABLE, password will be updated in LDAP. So during
next password checks, Keycloak will still use LDAP to authenticate user
against. Also all your apps integrated directly with LDAP should be able
to see newly updated password in LDAP.
- if edit mode is UNSYNCED, password will be updated in Keycloak DB, but
not in LDAP. Next password checks from Keycloak will use Keycloak DB and
hence new password. But your apps integrated directly with LDAP will
still see the old password.
Marek
On 11/02/16 02:15, chenkeong.yap at izeno.com wrote:
> hi guys,
>
> please assist to clarify. after adding ldap federation provider, is the password stored in keycloak database? if yes, is there anyway to prevent sync of password?
>
> Regards,
> CK Yap
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list