I recently was tasked to set up keycloak as the identity management tool for our kibana UI. I have decided to share the processes I used at integrating my active directory to Keycloak using LDAP as a provider.
Assuming you have set up your realm and you are about to add users that will access your applications. However, I presume you already have an AD setup that contains a list of all the users you want to access your kibana UI.
As shown in the image below. On my keycloak UI, I choose the user federation menu. I go ahead to choose the Add provider band and choose LDAP as my provider.
In the next screen i need to add the necessary inputs i need for my configuration.
- Left enabled on
- Decided to go with LDAP as my console display name
- Left my priority at 0
- I turned on import users menu to enable all uses configured on my AD to be synced to keycloak
- Set my Edit Mode to READ_ONLY
- Set Sync registration ON to enable newly created users to be synced to LDAP store
- I set my Vendor to “Active Directory” as I had earlier stated that I will be making use of my AD user profile
- Set user LDAP attribute to “userPrincipalName”.
- I set my RDN LDAP attribute to “cn”
- Set UUID LDAP attribute to “objectGUID”. when using active directory UUID attribute is objectGUID.
- Set User Object Classes “top, person, organizationalPerson, user”, the commas are mandatory.
- Set Connection URL to “ldap://ad.test.company.services:3268” replace this with your AD url. Go ahead to test the connection to validate.
- Set your Users DN to this format “OU=Users,OU=test,DC=test,DC=corp”. Users DN refers to the full name of your ADAP tree were your users are.
- Set Bind Type to “simple”. Bind type refers to the type of authentication used during the authentication of LDAP bind operation
- Set Enable StartTLS “OFF” since I was not encrypting
- Set Bind DN “CN=joiner,OU=Users,OU=arca,DC=arca,DC=corp”. I had initially created a user called to joiner on my AD to use to setup keycloak. So I went ahead to use that user to setup keycloak. You ca. go ahead and use your own credentials to setup. I tried to keep this a generic as possible.
- Set bind credentials. This is the password for the CN joiner user created in AD.
- Set to Custom User LDAP Filter: (&(objectCategory=Person)(sAMAccountName=*)(|(memberOf=cn=Software Engineers,ou=Users,ou=test,dc=test,dc=corp)(memberOf=cn=Product,ou=Users,ou=test,dc=test,dc=corp)(memberOf=cn=Settlement,ou=Users,ou=test,dc=test,dc=corp)(memberOf=cn=Tech Support,ou=Users,ou=test,dc=test,dc=corp)(memberOf=cn=DevOps,ou=Users,ou=test,dc=test,dc=corp)(memberOf=cn=TechOps,ou=Users,ou=test,dc=test,dc=corp))). Depending on how many groups you have setup on your AD.
- Set Search Scope to “One Level”. For one level, the search applies only for users in the DNs specified by User DNs. See LDAP documentation for more details.
- Set Validate Password Policy to “OFF” you can set otherwise if needed.
- Set Trust Email ON. You can set it otherwise if need me.
- Set Use Truststore SP to “Only for ldaps”. This specifies whether LDAP connection will use the truststore configured in standalone.xml/domain.xml. You have three fields from “Always, Never, Only ldap”. because my connection URL uses ldap hence my choice to use “Only for ldap”.
- Left Connection Timeout empty
- Also left Read Timeout empty
- Set Pagination ON
- Since I was not using Kerberos I left Kerberos Integration default/
Sync Settings
- Set Batch Size to 1000
- Set Periodic Full Sync ON
- Set Full Sync Period to 3600
- Set Periodic Changed Users Sync ON
- Set Changed Users Sync Period to 3600
Cache Settings
- Set Cache Policy to NO_CACHE.
Save your configuration
Choose the synchronize with all users tab.
A new Tab comes up called Mapper. it is necessary to map user groups on the LDAP server. My next post will show how Mapper configuration will be done.
Leave a Reply