How to Setup User Federation using LDAP on Keycloak

I recently was tasked to set up keycloak as the identity management tool for our kibana UI. I have decided to share the processes I used at integrating my active directory to Keycloak using LDAP as a provider.
Assuming you have set up your realm and you are about to add users that will access your applications. However, I presume you already have an AD setup that contains a list of all the users you want to access your kibana UI.

As shown in the image below. On my keycloak UI, I choose the user federation menu. I go ahead to choose the Add provider band and choose LDAP as my provider.

In the next screen i need to add the necessary inputs i need for my configuration.

  • Left enabled on
  • Decided to go with LDAP as my console display name
  • Left my priority at 0
  • I turned on import users menu to enable all uses configured on my AD to be synced to keycloak
  • Set my Edit Mode to READ_ONLY
  • Set Sync registration ON to enable newly created users to be synced to LDAP store
  • I set my Vendor to “Active Directory” as I had earlier stated that I will be making use of my AD user profile
  • Set user LDAP attribute to “userPrincipalName”.
  • I set my RDN LDAP attribute to “cn”
  • Set UUID LDAP attribute to “objectGUID”.  when using active directory UUID attribute is objectGUID.
  • Set User Object Classes  “top, person, organizationalPerson, user”, the commas are mandatory.
  • Set  Connection URL  to “ldap://” replace this with your AD url. Go ahead to test the connection to validate.
  • Set your Users DN to this format “OU=Users,OU=test,DC=test,DC=corp”. Users DN refers to the full name of your ADAP tree were your users are.
  • Set Bind Type to “simple”. Bind type refers to the type of authentication used during the authentication of LDAP bind operation
  • Set Enable StartTLS  “OFF” since I was not encrypting
  • Set Bind DN “CN=joiner,OU=Users,OU=arca,DC=arca,DC=corp”. I had initially created a user called to joiner on my AD to use to setup keycloak. So I went ahead to use that user to setup keycloak. You ca. go ahead and use your own credentials to setup. I tried to keep this a generic as possible.
  • Set bind credentials. This is the password for the CN joiner user created in AD.

  • Set to Custom User LDAP Filter: (&(objectCategory=Person)(sAMAccountName=*)(|(memberOf=cn=Software Engineers,ou=Users,ou=test,dc=test,dc=corp)(memberOf=cn=Product,ou=Users,ou=test,dc=test,dc=corp)(memberOf=cn=Settlement,ou=Users,ou=test,dc=test,dc=corp)(memberOf=cn=Tech Support,ou=Users,ou=test,dc=test,dc=corp)(memberOf=cn=DevOps,ou=Users,ou=test,dc=test,dc=corp)(memberOf=cn=TechOps,ou=Users,ou=test,dc=test,dc=corp))). Depending on how many groups you have setup on your AD.
  • Set  Search Scope  to “One Level”. For one level, the search applies only for users in the DNs specified by User DNs. See LDAP documentation for more details.
  • Set Validate Password Policy to “OFF” you can set otherwise if needed.
  • Set Trust Email ON. You can set it otherwise if need me.
  • Set Use Truststore SP to “Only for ldaps”. This specifies whether LDAP connection will use the truststore configured in standalone.xml/domain.xml. You have three fields from “Always, Never, Only ldap”.  because my connection URL uses ldap hence my choice to use “Only for ldap”.
  • Left Connection Timeout empty
  • Also left Read Timeout empty
  • Set Pagination ON
  • Since I was not using Kerberos I left Kerberos Integration default/

Sync Settings

  • Set Batch Size  to 1000
  • Set Periodic Full Sync  ON
  • Set Full Sync Period to 3600
  • Set Periodic Changed Users Sync ON
  • Set Changed Users Sync Period  to 3600

Cache Settings

  • Set Cache Policy to NO_CACHE.

Save your configuration

Choose the synchronize with all users tab.

A new Tab comes up called Mapper.  it is necessary to map user groups on the LDAP server. My next post will show how Mapper configuration will be done.


Leave a Reply

Your email address will not be published. Required fields are marked *

Keep up, get in touch.


Instagram / Facebook

Designed with WordPress