Living in a DevOps World.

Dennis Otugo

How to Setup User Federation using LDAP on Keycloak

in

I recently was tasked to set up keycloak as the identity management tool for our kibana UI. I have decided to share the processes I used at integrating my active directory to Keycloak using LDAP as a provider.
Assuming you have set up your realm and you are about to add users that will access your applications. However, I presume you already have an AD setup that contains a list of all the users you want to access your kibana UI.

As shown in the image below. On my keycloak UI, I choose the user federation menu. I go ahead to choose the Add provider band and choose LDAP as my provider.

In the next screen i need to add the necessary inputs i need for my configuration.

  • Left enabled on
  • Decided to go with LDAP as my console display name
  • Left my priority at 0
  • I turned on import users menu to enable all uses configured on my AD to be synced to keycloak
  • Set my Edit Mode to READ_ONLY
  • Set Sync registration ON to enable newly created users to be synced to LDAP store
  • I set my Vendor to “Active Directory” as I had earlier stated that I will be making use of my AD user profile
  • Set user LDAP attribute to “userPrincipalName”.
  • I set my RDN LDAP attribute to “cn”
  • Set UUID LDAP attribute to “objectGUID”.  when using active directory UUID attribute is objectGUID.
  • Set User Object Classes  “top, person, organizationalPerson, user”, the commas are mandatory.
  • Set  Connection URL  to “ldap://ad.test.company.services:3268” replace this with your AD url. Go ahead to test the connection to validate.
  • Set your Users DN to this format “OU=Users,OU=test,DC=test,DC=corp”. Users DN refers to the full name of your ADAP tree were your users are.
  • Set Bind Type to “simple”. Bind type refers to the type of authentication used during the authentication of LDAP bind operation
  • Set Enable StartTLS  “OFF” since I was not encrypting
  • Set Bind DN “CN=joiner,OU=Users,OU=arca,DC=arca,DC=corp”. I had initially created a user called to joiner on my AD to use to setup keycloak. So I went ahead to use that user to setup keycloak. You ca. go ahead and use your own credentials to setup. I tried to keep this a generic as possible.
  • Set bind credentials. This is the password for the CN joiner user created in AD.

  • Set to Custom User LDAP Filter: (&(objectCategory=Person)(sAMAccountName=*)(|(memberOf=cn=Software Engineers,ou=Users,ou=test,dc=test,dc=corp)(memberOf=cn=Product,ou=Users,ou=test,dc=test,dc=corp)(memberOf=cn=Settlement,ou=Users,ou=test,dc=test,dc=corp)(memberOf=cn=Tech Support,ou=Users,ou=test,dc=test,dc=corp)(memberOf=cn=DevOps,ou=Users,ou=test,dc=test,dc=corp)(memberOf=cn=TechOps,ou=Users,ou=test,dc=test,dc=corp))). Depending on how many groups you have setup on your AD.
  • Set  Search Scope  to “One Level”. For one level, the search applies only for users in the DNs specified by User DNs. See LDAP documentation for more details.
  • Set Validate Password Policy to “OFF” you can set otherwise if needed.
  • Set Trust Email ON. You can set it otherwise if need me.
  • Set Use Truststore SP to “Only for ldaps”. This specifies whether LDAP connection will use the truststore configured in standalone.xml/domain.xml. You have three fields from “Always, Never, Only ldap”.  because my connection URL uses ldap hence my choice to use “Only for ldap”.
  • Left Connection Timeout empty
  • Also left Read Timeout empty
  • Set Pagination ON
  • Since I was not using Kerberos I left Kerberos Integration default/

Sync Settings

  • Set Batch Size  to 1000
  • Set Periodic Full Sync  ON
  • Set Full Sync Period to 3600
  • Set Periodic Changed Users Sync ON
  • Set Changed Users Sync Period  to 3600

Cache Settings

  • Set Cache Policy to NO_CACHE.

Save your configuration

Choose the synchronize with all users tab.

A new Tab comes up called Mapper.  it is necessary to map user groups on the LDAP server. My next post will show how Mapper configuration will be done.


Do you have any question, suggestion, or a correction? Do let me know at [email protected]



Follow

Instagram / LinkedIn

Designed with WordPress