I recently was tasked to set up keycloak as the identity management tool for our kibana UI. I have decided to share the processes I used at integrating my active directory to Keycloak using LDAP as a provider.
Assuming you have set up your realm and you are about to add users that will access your applications. However, I presume you already have an AD setup that contains a list of all the users you want to access your kibana UI.

As shown in the image below. On my keycloak UI, I choose the user federation menu. I go ahead to choose the Add provider band and choose LDAP as my provider.

In the next screen i need to add the necessary inputs i need for my configuration.

• Left enabled on
• Decided to go with LDAP as my console display name
• Left my priority at 0
• I turned on import users menu to enable all uses configured on my AD to be synced to keycloak
• Set my Edit Mode to READ_ONLY
• Set Sync registration ON to enable newly created users to be synced to LDAP store
• I set my Vendor to “Active Directory” as I had earlier stated that I will be making use of my AD user profile
• Set user LDAP attribute to “userPrincipalName”.
• I set my RDN LDAP attribute to “cn”
• Set UUID LDAP attribute to “objectGUID”.  when using active directory UUID attribute is objectGUID.
• Set User Object Classes  “top, person, organizationalPerson, user”, the commas are mandatory.
• Set  Connection URL  to “ldap://ad.test.company.services:3268” replace this with your AD url. Go ahead to test the connection to validate.
• Set your Users DN to this format “OU=Users,OU=test,DC=test,DC=corp”. Users DN refers to the full name of your ADAP tree were your users are.
• Set Bind Type to “simple”. Bind type refers to the type of authentication used during the authentication of LDAP bind operation
• Set Enable StartTLS  “OFF” since I was not encrypting
• Set Bind DN “CN=joiner,OU=Users,OU=arca,DC=arca,DC=corp”. I had initially created a user called to joiner on my AD to use to setup keycloak. So I went ahead to use that user to setup keycloak. You ca. go ahead and use your own credentials to setup. I tried to keep this a generic as possible.
• Set bind credentials. This is the password for the CN joiner user created in AD.

• Set to Custom User LDAP Filter: (&(objectCategory=Person)(sAMAccountName=*)(|(memberOf=cn=Software Engineers,ou=Users,ou=test,dc=test,dc=corp)(memberOf=cn=Product,ou=Users,ou=test,dc=test,dc=corp)(memberOf=cn=Settlement,ou=Users,ou=test,dc=test,dc=corp)(memberOf=cn=Tech Support,ou=Users,ou=test,dc=test,dc=corp)(memberOf=cn=DevOps,ou=Users,ou=test,dc=test,dc=corp)(memberOf=cn=TechOps,ou=Users,ou=test,dc=test,dc=corp))). Depending on how many groups you have setup on your AD.
• Set  Search Scope  to “One Level”. For one level, the search applies only for users in the DNs specified by User DNs. See LDAP documentation for more details.
• Set Validate Password Policy to “OFF” you can set otherwise if needed.
• Set Trust Email ON. You can set it otherwise if need me.
• Set Use Truststore SP to “Only for ldaps”. This specifies whether LDAP connection will use the truststore configured in standalone.xml/domain.xml. You have three fields from “Always, Never, Only ldap”.  because my connection URL uses ldap hence my choice to use “Only for ldap”.
• Left Connection Timeout empty
• Also left Read Timeout empty
• Set Pagination ON
• Since I was not using Kerberos I left Kerberos Integration default/

Sync Settings

• Set Batch Size  to 1000
• Set Periodic Full Sync  ON
• Set Full Sync Period to 3600
• Set Periodic Changed Users Sync ON
• Set Changed Users Sync Period  to 3600

Cache Settings

• Set Cache Policy to NO_CACHE.

Save your configuration

Choose the synchronize with all users tab.

A new Tab comes up called Mapper.  it is necessary to map user groups on the LDAP server. My next post will show how Mapper configuration will be done.