Connecting Keycloak to Active Directory¶
Keycloak can federate external user databases. Out of the box support for LDAP (Active Directory) and Kerberos is provided.
To configure the federation proceed als follows:
-
In your Web browser, open the Keycloak user interface: https://localhost:32769
-
Open the
Administration Console
. -
Log on with the pre-configured user
admin
and passwordSealAdmin1
. -
In the
Configure
menu on the left, selectUser Federation
to display the entry dialog. -
In the drop-down menu, select
ldap
. -
Enter your
ldap
configuration according to the following table:Name Example Value Comment Edit Mode READ_ONLY Set LDAP backend to read only Vendor Active Directory Selecting the vendor sets up various attributes automatically Username LDAP attribute sAMAccountName The login user. Default is cn
RDN LDAP attribute cn For Active Directory it's common to use cn
as RDNUUID LDAP attribute objectGUID For Active Directory the UUID should be objectGUID
User Object Classes person, organizationalPerson, user For Active Directory keep the default value Connection URL LDAP://<fqdn>:389 Connection URL to your AD server, for secure connection use LDAPS://<fqdn>:636
Users DN OU=users,DC=example,DC=com Full DN of LDAP tree where your users are Bind DN CN=admin,OU=serviceaccounts,DC=example,DC=com DN of LDAP admin, which will be used to access LDP server Bind Credential Password of LDAP admin configured in Bind DN
Search Scope Subtree Search full tree below Users DN
. Default isOne Level
-
Save your settings.
Caution - later changes
When you save the settings of the user federation for the first time, Keycloak adds the mappings for the previously entered LDAP settings in the
Mappers
tab. These have to be updated manually, when you change the settings. This is not done automatically.
Hint - Log file
LDAP errors will be logged in the C:\ProgramData\SEAL Systems\log\seal-keycloak.log
file.