[keycloak-user] user storage ldap or keycloak

Bill Burke bburke at redhat.com
Fri Jan 27 19:14:47 EST 2017


Users have to be linked to sync.


On 1/27/17 3:25 PM, Marek Posolda wrote:
> Bill, do we have OOTB support for the usecase, when you have just 
> local Keycloak users. Then at some point you want to add LDAP (or any 
> other provider) and then sync existing Keycloak users to that 
> StorageProvider? I guess not?
>
> Marek
>
>
> On 27/01/17 15:25, Bill Burke wrote:
>> I have no idea on the passwords.  It is a standard algorithm we use.
>> But you could might be able to a) use keycloak stored passwords, b)
>> require password update, c) store new passwords in LDAP as they are
>> updated and entered.
>>
>>
>> On 1/27/17 2:48 AM, Istvan Orban wrote:
>>> Thanks for this. I am glad to hear it. it can be our central user 
>>> store.
>>>
>>> I am wondering about one single question. Suppose down the line we 
>>> want to
>>> upgrade to LDAP sometime in the future. Of course we can export the 
>>> user
>>> data but the passwords are hashed.
>>>
>>> Will be able to import users into an LDAP store without having to reset
>>> every single user's password ?
>>>
>>> Thanks a lot!
>>>
>>> ------------------------------
>>>> Message: 4
>>>> Date: Thu, 26 Jan 2017 14:14:36 -0500
>>>> From: Bill Burke <bburke at redhat.com>
>>>> Subject: Re: [keycloak-user] user storage ldap or keycloak
>>>> To: keycloak-user at lists.jboss.org
>>>> Message-ID: <1424da64-3570-39ba-8200-1e3fb95716f9 at redhat.com>
>>>> Content-Type: text/plain; charset=windows-1252; format=flowed
>>>>
>>>> Keycloak can handle responsibilities of a main user store and I would
>>>> recommend you do that.  The few customers that I've seen take your
>>>> approach struggled a bit with tuning LDAP to get it to perform well.
>>>> With Keycloak only store, there's just one less moving part you 
>>>> have to
>>>> worry about, tune, and debug.
>>>>
>>>> The disadvantage is that you'll have to migrate from Keycloak DB to 
>>>> LDAP
>>>> or something if you ever want to ditch Keycloak.
>>>>
>>>> Another option: using the User Storage SPI you do have the option to
>>>> retain your legacy user store.
>>>>
>>>>
>>>> On 1/26/17 2:00 PM, Istvan Orban wrote:
>>>>> Dear Keycloak users.
>>>>>
>>>>> I am very new to keycloak and I really like it. it is great.
>>>>>
>>>>> I am currently migrating a legacy app ( using it's own user 
>>>>> management
>>>> ) to
>>>>> support SSO.
>>>>>
>>>>> I have set-up keycloak with openid connect and it works very well. At
>>>> this
>>>>> point we need to decide
>>>>> if we will use keycloak as our main user store or we will set-up 
>>>>> an LDAP
>>>> .
>>>>> My question is that. Is keycloak designed in a way that it can 
>>>>> fullfil
>>>> all
>>>>> the responsibilities of the main user store?
>>>>>
>>>>> Any risk with this at all?
>>>>>
>>>>> ps: our userbase is small and at this point I am not sure if we 
>>>>> want to
>>>> add
>>>>> ldap just for this.
>>>>>
>>>>>
>>>>>
>>>
>>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>



More information about the keycloak-user mailing list