Adding an LDAP provider

Virtual Storage Platform One Object Quick Guide: Security
Version
Audience
anonymous
Part Number
MK-25VSP1OBQ002-00
ft:lastEdition
2025-08-22
You can integrate an LDAP provider with Keycloak to synchronize users and manage authentication through your existing directory service.

To sync your users and groups from your AD server in Keycloak:

  1. Click Configure > User federation.
  2. From the Add new provider list, select LDAP.
  3. Enter your connection details:
    • Connection URL: The URL required to connect to the LDAP server.

      Example: ldap://exampleurl.for.ldap.com

    • Bind type: The type of authentication method used during the bind. Select simple.
    • Bind DN: The username or LDAP account that Keycloak will use to authenticate against the LDAP server. It is provided in the form of a distinguished name (DN).

      Example: cn=clark kent,cn=users,dc=ensemblead,dc=archivas,dc=com

    • Bind credentials: The password for the Bind DN account that Keycloak uses to authenticate to the LDAP server.
    • Edit mode: Defines how Keycloak manages data with the LDAP server. Choose READ_ONLY if LDAP is the source of truth and user data should remain unchanged. Use WRITABLE if Keycloak needs to update and sync user data with LDAP. Select UNSYNCED for a one-time import when ongoing synchronization isn’t required.
    • Users DN: Specifies the base DN where Keycloak should look for users in the LDAP directory.

      Example: cn=users,dc=ensemblead,dc=archivas,dc=com

    • Username LDAP Attribute: Maps users between Keycloak and the external LDAP directory.

      Example: cn

    • RDN LDAP attribute: Specifies which attribute in the LDAP entry should be used as the Relative Distinguished Name (RDN).

      Example: cn

    • UUID LDAP attribute: Uniquely identifies users in the LDAP directory.
    • User object classes: Determines which LDAP object classes should be used when querying or creating user entries in the LDAP director

      Example: person, top

  4. Click Save.
  5. From the User Federation page, select the new user federation you just created.
  6. On the Mappers tab, click Add mapper.
  7. Provide the required mapper details:
    1. Name: The name of the specific group mapper you are configuring.

      Example: GroupMapper

    2. Mapper type: Defines the type of LDAP mapper you are creating.

      Example: group-ldap-mapper

    3. LDAP Groups DN: The base Distinguished Name (DN) where Keycloak will search for groups in the LDAP directory.

      Example: cn=users,dc=ensemblead,dc=archivas,dc=com

    4. Preserve Group Inheritance: Determines whether group inheritance from LDAP is preserved when syncing to Keycloak.
    5. LDAP Filter: An optional filter for refining which groups are retrieved from the LDAP server.

      Example: (objectClass=group)

    6. Groups Path: Specifies the path in Keycloak under which the LDAP groups will be imported or synced.

      Example: /ldapprovider1

  8. Click Save.
  9. From the newly created mapper, click Action and select Sync LDAP Groups to Keycloak.
    Important: By default, after adding an LDAP provider in Keycloak, no users appear in the user list. This is expected behavior due to how Keycloak handles LDAP searches. To display users, go to Manage > Users, enter * in the User List search bar, and press Enter.