LDAP federation

https://www.keycloak.org/docs/latest/server_admin/#_ldap

Keycloak includes an LDAP/AD provider. You can federate multiple different LDAP servers in one Keycloak realm and map LDAP user attributes into the Keycloak common user model.

By default, Keycloak maps the username, email, first name, and last name of the user account, but you can also configure additional mappings. Keycloak’s LDAP/AD provider supports password validation using LDAP/AD protocols and storage, edit, and synchronization modes

Required LDAP configuration fields

https://dmc.datical.com/administer/configure-keycloak-ldap.htm

In the Add user federation provider section, add the following required settings:

Tab Field Value Notes

Settings Edit Mode
READ_ONLY: Users
UNSYNCHED: Groups
Be sure to select UNSYNCHED if you are creating a group.

Settings Vendor Active Directory The LDAP provider you are using. Ensure that Active Directory is selected for Groups to work correctly.

Settings Username LDAP Attribute Attribute that contains the user name.
Set this value to username and then configure mappers to designate the desired attribute to map to it. If you want to create a group, select group-ldap-mapper.

See the Attribute Mappers section below for more information.

Settings RDN LDAP Attribute CN

Settings Connection URL The connection URL to your LDAP server.
Usually of the following format: ldaps://LDAP_HOST:636

Select the Test Connection button to confirm.

Settings Users DN The full DN of the LDAP tree where your users are located.
This DN is the LDAP user parent.

Example: It would be CN=users,DC=example,DC=com assuming that your typical user has a DN like: uid=john,ou=users,dc=example,dc=com

This is not a group DN. You must specify a node that contains users.

Settings Bind type Simple

Settings Bind DN DN of the administrative or service user that accesses the information to use.
Example: CN=Administrator,CN=Users,DC=demo,DC=example,DC=com

Group Example:
OU=test,DC=test,DC=datical,DC=net

Settings Bind Credentials Password of LDAP admin
Select Test Authentication to test the Bind DN/Bind Credential pair. Continue if it passes.

If it fails, check the Keycloak log to find the reason. Run the following command: datical-control logs keycloak

If the reason is PKIX Path building failed, see note below on PKIX

Settings LDAP Filter Filter value
Used to filter the full list of users and groups in the "Users DN" node to just the users and groups you want to import into Keycloak.

Can use a filter like (mail=*) to only include users with an email address (excludes service account users)

Can filter based on groups or anything else you need

Search Scope Subtree or One Level If the node listed in "Users DN" contains nested nodes with users, select "Subtree". Otherwise select "one level".

Settings and Mappers Other Attributes Default or as you need

Tab	Field	Value	Notes
Settings	Edit Mode	READ_ONLY: Users UNSYNCHED: Groups	Be sure to select UNSYNCHED if you are creating a group.
Settings	Vendor	Active Directory	The LDAP provider you are using. Ensure that Active Directory is selected for Groups to work correctly.
Settings	Username LDAP Attribute	Attribute that contains the user name.	Set this value to username and then configure mappers to designate the desired attribute to map to it. If you want to create a group, select group-ldap-mapper. See the Attribute Mappers section below for more information.
Settings	RDN LDAP Attribute	CN
Settings	Connection URL	The connection URL to your LDAP server.	Usually of the following format: `ldaps://LDAP_HOST:636` Select the Test Connection button to confirm.
Settings	Users DN	The full DN of the LDAP tree where your users are located.	This DN is the LDAP user parent. Example: It would be `CN=users,DC=example,DC=com` assuming that your typical user has a DN like: `uid=john,ou=users,dc=example,dc=com` This is not a group DN. You must specify a node that contains users.
Settings	Bind type	Simple
Settings	Bind DN	DN of the administrative or service user that accesses the information to use.	Example: `CN=Administrator,CN=Users,DC=demo,DC=example,DC=com` Group Example: `OU=test,DC=test,DC=datical,DC=net`
Settings	Bind Credentials	Password of LDAP admin	Select Test Authentication to test the Bind DN/Bind Credential pair. Continue if it passes. If it fails, check the Keycloak log to find the reason. Run the following command: `datical-control logs keycloak` If the reason is PKIX Path building failed, see note below on PKIX
Settings	LDAP Filter	Filter value	Used to filter the full list of users and groups in the "Users DN" node to just the users and groups you want to import into Keycloak. Can use a filter like *(mail=) to only include users with an email address (excludes service account users) Can filter based on groups** or anything else you need
	Search Scope	Subtree or One Level	If the node listed in "Users DN" contains nested nodes with users, select "Subtree". Otherwise select "one level".
Settings and Mappers	Other Attributes	Default or as you need

federation

keycloak

LDAP

federation keycloak ldap

vite-plugin-federation

federal

keycloak-services

detectability safelearning aggregation federated

526互联

keycloak LDAP federation

LDAP federation

Required LDAP configuration fields