rk1ve

lldap and keycloak

this is to explain how lldap integrates with keycloak. first make sure that you have lldap configured and installed. the configuration file is inside:
/etc/lldap.

this is where you configure the ldap port, the http management port, management user, password, the base dc, and all that good ldap stuff. once this is configured, go into keycloak. either create a new realm or edit the realm you want to add ldap to. navigate to the configure section and user federation.

press “add new provider” and select ldap. enter a ui display name and select the vendor as “other”. the connection url goes as follows:
ldap://ldapserver.example.com:3890

if you have ldaps configured, change the port to the ldaps port: 6360 and use ldaps://. once configured, click on the test connection to ensure the keycloak server can talk to the ldap server.

next go to the bind dn and set that as: cn=admin,ou=people,dc=exmaple,dc=com
this is used as the admin binding user. enter the credentials after that and press test authentication ensure the bind is proper.

the ldap searching and updating section, change edit mode to read only. users dn to ou=people,dc=example,dc=com. username ldap attribute and rdn can be left as uid. uuid can be left as entryuuid. the user object classes can be changed to “person”. then turn off pagination.

synchronization settings, import users on, sync registrations on. for the full sync period do: 604800 and the changed users sync period: 86400. then finally check the button to enable the ldapv3 password.

once this is configured, go to the top and click on the “mappers” tab. create a new mapper named “groups” and have the type as “group-ldap-mapper”. this will be the ldap dn: ou=groups,dc=example,dc=com. group object classes will be “groupOfUniqueNames”, and change the mode to read only.

finally, go to the mapper “first name” and change the ldap attribute to “givenName”. once this is all saved, go to the top right to “action” when in the “settings” tab and click “sync all users”.

boom, keycloak users are now synced to an ldap server.

go back

preserve the moment.