Keycloak: LDAP User Federation

Łukasz Budnik

มุมมอง 28 299

เพิ่มลงใน
- เพลย์ลิสต์ของฉัน
- ดูภายหลัง
แชร์

แชร์

ฝัง

ขนาดวิดีโอ:

แสดงแผงควบคุมโปรแกรมเล่น

เล่นอัตโนมัติ

เล่นใหม่

เผยแพร่เมื่อ 27 ส.ค. 2024

ความคิดเห็น • 38

@joseluisfernandez5981 2 ปีที่แล้ว ⁺¹
Great video. Muchas gracias!
@ukaszbudnik9618 ปีที่แล้ว
¡de nada!
@seanharricharan7602 ปีที่แล้ว
So when a user changes their password, does that automatically get synced to keycloak?
@PranaTechCh 2 ปีที่แล้ว ⁺¹
Hello Lukasz, great explanation, thank you.
Do you know if the opposite is doable : I mean have the same link between Keycloak and LDAP but centralize users within Keycloak and then export / sync them with LDAP. I have all my users within Keycloak (and happy with that), and now I'd like to add Samba / LDAP authentication to this, using my Keycloak. Any idea ?
@ukaszbudnik9618 ปีที่แล้ว
I'm not sure if I understood you correctly. Do you want to use Keycloak as LDAP server and use it to perform the LDAP-based authentication? I don't think this is possible, for such scenarios a common deployment pattern is to have LDAP server running side-by-side with Keycloak with automatic users sync enabled (in Keycloak set Sync Registrations to "on").
@PranaTechCh ปีที่แล้ว ⁺¹
@@ukaszbudnik9618 ok, thanks Lukasz, it makes sense. We've abandonned this scenario since that comment. Keycloak is great as is, no need to add LDAP. We progresively stoping using Samba and replace it with Keycloak.
@mersanihanene9246 2 ปีที่แล้ว
hello Lukasz, thank you for the explanation,
I have a question please when using user federation the sso was enabled between an application that uses a key clock for authentification and an author application that uses LDAP for authentication or not
@ukaszbudnik9618 ปีที่แล้ว
If I understood you correctly you want to use LDAP to authenticate users in Keycloak? That's not possible, because Keycloak is not LDAP server. You can setup Keycloak to read/authenticate users from LDAP, but when you talk to Keycloak you either use OIDC or SAML 2.0.
@karamsk9959 3 ปีที่แล้ว
Hi Lukasz, Does the user has to be sync to Keycloak before even they try to authenticate ? In the sync will the user password captured and stored in keycloak database ?
@ukaszbudnik9618 3 ปีที่แล้ว
Hi Karams, You need to sync LDAP users to Keycloak first. Otherwise Keycloak will return invalid username or password error. However the passwords are not imported and the validation is always delegated to LDAP server.
@user-nl7so9ht8z ปีที่แล้ว
Hi,
Can you share how to create a user in LDAP using postman with Sync User Registration enabled in Keycloak?
@NikiTrombin ปีที่แล้ว
Great video! It was really helpfull.
I just need to do one more thing.
Basically If I delete an user from LDAP in JumpCloud, how can it be automatically deleted in our Keycloak Database without having to deleted manually?
It is something that I'm trying to do but I'm not able to do it.
Thanks!
@senoremc4628 ปีที่แล้ว
Hello, thanks for the tutorial!
i don't understand where i can find the bind credentials.
When I create an user and select "enable as LDAP Bind DN", where can I create a password for the user?
thanks!
@ukaszbudnik9618 ปีที่แล้ว
hey, try this: support.jumpcloud.com/support/s/article/resetting-forgotten-or-lost-passwords-and-mfa-totp-keys1#AdminResettingaUserPasswordforaUser
@loganphan2043 2 ปีที่แล้ว
Hi Lukasz,
How do you get the Bind Credential? Is it your jumpcloud admin password?
@ukaszbudnik9618 ปีที่แล้ว
I created a dedicated integration user and in Jumpcloud (then added LDAP Bind DN permissions). The credentials are for this integration user, this is not the jump cloud admin password.
@senoremc4628 ปีที่แล้ว
@@ukaszbudnik9618hello, thanks for the tutorial!
i don't understand where i can find the bind credentials either
@ukaszbudnik9618 ปีที่แล้ว
@@senoremc4628 create a new user in Jumpcloud - this will be the integration user, give this user LDAP Bind permission, finally use this user (and its credentials) in Keycloak LDAP configuration.
@syanansy1259 3 ปีที่แล้ว
Hi Lukasz, I have also configured IDP and ldap, we have a custom login Page we are able to choose the IDP, how we have to change *.ftl template that the user can choose between idp and ldap....
@ukaszbudnik9618 3 ปีที่แล้ว
hi Syan, Not sure if I understand you correctly. LDAP user federation synchronises users to Keycloak. Once you synced LDAP directory, LDAP users can login directly to Keycloak using their LDAP credentials. You don't have to (in fact it's not even possible) display separate login for LDAP users.
@subhashd8146 2 ปีที่แล้ว
can you tell kerberos in user federation
@ukaszbudnik9618 ปีที่แล้ว
Not sure if I understand the question, but yes Keycloak supports Kerberos: www.keycloak.org/docs/latest/server_admin/#_kerberos
@vishnum9190 3 ปีที่แล้ว
Hi Lakasz, Thanks for the detailed explanation.. I have Keycloak installed in my local windows machine and tried the same LDAP connectivity with Jumpcloud and then the "Test connection" and "Test authentication" both were successful but, when I tried to synchronize users and it says sync was successful and 0 users were imported, but I have 2 users in my LDAP and still it is not able to import those 2 users. Any advice on this would be much appreciated!!!
@ukaszbudnik9618 3 ปีที่แล้ว
Hi Vishnu,
In Jumpcloud you have to explicitly add a user to LDAP directory. Users are not automatically added to LDAP directory. When you go to the LDAP directory page, you can either add a group of users in the "User Groups" tab or individual users on the "Users" tab. Just make sure the checkbox is on. You can test this using ldapsearch tool as I showed in the video. Good luck!
cheers,
Łukasz
@vishnum9190 3 ปีที่แล้ว
@@ukaszbudnik9618 - Thank you! Can you please do a video on how to integrate Keycloak with MySQL
@ukaszbudnik9618 3 ปีที่แล้ว
Hi Vishnu,
The keycloak docker image comes with MySQL drivers. Once you have MySQL server deployed, all is left is to change keycloak DB env variables to MySQL ones. Take a look at the official Keycloak example: github.com/keycloak/keycloak-containers/blob/master/docker-compose-examples/keycloak-mysql.yml
Good luck!
Łukasz
@xiankunli6245 3 ปีที่แล้ว
@@ukaszbudnik9618 Hi Lukasz, thanks for your detailed explanation. Now I face the same problems and I've added some users to LDAP directory. But it doesn't work. Could you teach me how to manage the users' attributes to fix this issue? Thanks.
@ukaszbudnik9618 3 ปีที่แล้ว
@@xiankunli6245 Hi, if we are talking about Jumpcloud users must be granted access to the JumpCloud LDAP directory either individually or via a group. See support.jumpcloud.com/support/s/article/using-jumpclouds-ldap-as-a-service1 for more information. You need to explicitly add users to LDAP otherwise JumpCloud LDAP will return empty users list.
@sanruzio 3 ปีที่แล้ว
Se puede realizar sobre LDAPS??
@ukaszbudnik9618 3 ปีที่แล้ว ⁺¹
Creo que sí. Siempre uso LDAPS para mejor seguridad. Siempre uso el cifrado en tránsito. No intenté configurar LDAP solo LDAPS. Tienes que probar esto.
@ozdemirrulass 6 หลายเดือนก่อน
1:20 🤣
@dhrubajyotimukherjee3990 2 ปีที่แล้ว
Hello Lukasz facing the below error when trying Ldaps.
Kindly comment for the below error
[0m[31m06:10:23,341 ERROR [org.keycloak.services] (default task-18) KC-SERVICES0055: Error when authenticating to LDAP: simple bind failed: : javax.naming.CommunicationException: simple bind failed: :636 [Root exception is javax.net.ssl.SSLHandshakeException: The server selected protocol version TLS10 is not accepted by client preferences [TLS13, TLS12]].
@ukaszbudnik9618 ปีที่แล้ว
The LDAP server is using deprecated TLS 1.0 (in a matter of fact TLS 1.1 is also deprecated). That is why Keycloak sent preferences TLS 1.3 and TLS 1.2. If this is a problem for you, and you need to use legacy/unsecure encryption mechanisms, you may want to reach out to Keycloak mailing list and ask for help there.

ต่อไป

เล่นอัตโนมัติ

KEYCLOAK Implementing Custom User Storage Provider (in-depth) | Niko Köbler (@dasniko)