[keycloak-user] Active Directory

Marek Posolda mposolda at redhat.com
Wed Jun 22 10:23:25 EDT 2016


On 21/06/16 10:21, Christopher Davies wrote:
> I am looking to use KeyCloak backed by an AD server.
> Can I check a few things that I understand are correct.
>
> 1) Using the  User Federation SPI I import the following from 
> ActiveDirectory into the KeyCloak database : first name, surname, 
> email, username and password.
By default you are importing first name, surname, email and username. 
You can import more attributes by creating additional LDAP mappers. But 
no password imported from MSAD to Keycloak DB
> 2) Password checks are made against the Keycloak database and not the 
> ActiveDirectory system
No, password checks are made against ActiveDirectory. Just if you have 
editMode UNSYNCED and you change the password of the user (or he change 
it himself in account management), then the new password will be saved 
into Keycloak DB and will be used in favor of the old password from MSAD.
> 3) Enabling kerberos authentication will allow me to do paswordless 
> login using my web browser from my windows box
Yes. See our Kerberos documentation for more details [1].

[1] 
https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/authentication/kerberos.html

Marek
>
> Hope I am not to far from the mark
>
> Chris
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160622/3d91f0bb/attachment-0001.html 


More information about the keycloak-user mailing list