Adding an LDAP provider with Keycloak

Content Intelligence Administration Guide

Version
3.0.x
File Size
465 KB
Audience
anonymous
Part Number
MK-HCI000-19

To sync your users and groups from your AD server in Keycloak:

  1. From the left-hand menu, click Configure > User federation.
  2. From the Add new provider dropdown, select LDAP.
  3. Input your connection details:
    • Connection URL: The URL to connect to the LDAP server.

      Example: ldap://exampleurl.for.ldap.com

    • Bind type: The type of authentication method used during the bind. Select simple.
    • Bind DN: The username or LDAP account that Keycloak will use to authenticate against the LDAP server. It is provided in the form of a distinguished name (DN).

      Example: cn=clark kent,cn=users,dc=ensemblead,dc=archivas,dc=com

    • Bind credentials: The password for the Bind DN account that Keycloak uses to authenticate to the LDAP server.

      Example: start123

    • Edit mode: Defines how Keycloak interacts with the LDAP server in terms of data management. Options are READ_ONLY, WRITABLE, or UNSYNCED.

      Example: READ_ONLY

    • Users DN: Specifies the base DN where Keycloak should look for users in the LDAP directory.

      Example: cn=users,dc=ensemblead,dc=archivas,dc=com

    • Username LDAP Attribute: Used to map users between Keycloak and the external LDAP directory.

      Example: cn

    • RDN LDAP attribute: Specifies which attribute in the LDAP entry should be used as the Relative Distinguished Name (RDN).

      Example: cn

    • UUID LDAP attribute: Used to uniquely identify users in the LDAP directory.

      Example: 3f3e30a2-f882-4a6d-b0ea-482a21d81f24

    • User object classes: Determines which LDAP object classes should be used when querying or creating user entries in the LDAP director

      Example: person, top

  4. Click Save.
  5. From the User Federation page, select the new user federation you just created.
  6. Select the Mappers tab.
  7. Click Add mapper.
  8. Input the your mapper details:
    1. Name: The name of the specific group mapper you are configuring.

      Example: GroupMapper

    2. Mapper type: Defines the type of LDAP mapper you are creating.

      Example: group-ldap-mapper

    3. LDAP Groups DN: The base Distinguished Name (DN) where Keycloak will search for groups in the LDAP directory.

      Example: cn=users,dc=ensemblead,dc=archivas,dc=com

    4. Preserve Group Inheritance: A setting that determines whether group inheritance from LDAP is preserved when syncing to Keycloak.

      Example: Off

    5. LDAP Filter: An optional filter for refining which groups are retrieved from the LDAP server.

      Example: (objectClass=group)

    6. Groups Path: Specifies the path in Keycloak under which the LDAP groups will be imported or synced.

      Example: /ldapprovider1

  9. Click Save.
  10. From the newly created mapper, click Action and select Sync LDAP Groups to Keycloak.
    Important: By default, after adding an LDAP provider in Keycloak, you will be unable to view all of your users. To display them, in the User List search bar on the Manage > Users page, type * and press Enter.