To sync your users and groups from your AD server in Keycloak:
- From the left-hand menu, click Configure > User federation.
- From the Add new provider dropdown, select LDAP.
- Input your connection details:
- Connection URL: The URL to connect to the LDAP server.
Example: ldap://exampleurl.for.ldap.com
- Bind type: The type of authentication method used during the bind. Select simple.
- Bind DN: The username or LDAP account that Keycloak will use to authenticate against the LDAP server. It is provided in the form of a distinguished name (DN).
Example: cn=clark kent,cn=users,dc=ensemblead,dc=archivas,dc=com
- Bind credentials: The password for the Bind DN account that Keycloak uses to authenticate to the LDAP server.
Example: start123
- Edit mode: Defines how Keycloak interacts with the LDAP server in terms of data management. Options are READ_ONLY, WRITABLE, or UNSYNCED.
Example: READ_ONLY
- Users DN: Specifies the base DN where Keycloak should look for users in the LDAP directory.
Example: cn=users,dc=ensemblead,dc=archivas,dc=com
- Username LDAP Attribute: Used to map users between Keycloak and the external LDAP directory.
Example: cn
- RDN LDAP attribute: Specifies which attribute in the LDAP entry should be used as the Relative Distinguished Name (RDN).
Example: cn
- UUID LDAP attribute: Used to uniquely identify users in the LDAP directory.
Example: 3f3e30a2-f882-4a6d-b0ea-482a21d81f24
- User object classes: Determines which LDAP object classes should be used when querying or creating user entries in the LDAP director
Example: person, top
- Connection URL: The URL to connect to the LDAP server.
- Click Save.
- From the User Federation page, select the new user federation you just created.
- Select the Mappers tab.
- Click Add mapper.
- Input the your mapper details:
- Name: The name of the specific group mapper you are configuring.
Example: GroupMapper
- Mapper type: Defines the type of LDAP mapper you are creating.
Example: group-ldap-mapper
- LDAP Groups DN: The base Distinguished Name (DN) where Keycloak will search for groups in the LDAP directory.
Example: cn=users,dc=ensemblead,dc=archivas,dc=com
- Preserve Group Inheritance: A setting that determines whether group inheritance from LDAP is preserved when syncing to Keycloak.
Example: Off
- LDAP Filter: An optional filter for refining which groups are retrieved from the LDAP server.
Example: (objectClass=group)
- Groups Path: Specifies the path in Keycloak under which the LDAP groups will be imported or synced.
Example: /ldapprovider1
- Name: The name of the specific group mapper you are configuring.
- Click Save.
- From the newly created mapper, click Action and select Sync LDAP Groups to Keycloak.
Important: By default, after adding an LDAP provider in Keycloak, you will be unable to view all of your users. To display them, in the User List search bar on the Manage > Users page, type * and press Enter.