LDAP federation
https://www.keycloak.org/docs/latest/server_admin/#_ldap
Keycloak includes an LDAP/AD provider. You can federate multiple different LDAP servers in one Keycloak realm and map LDAP user attributes into the Keycloak common user model.
By default, Keycloak maps the username, email, first name, and last name of the user account, but you can also configure additional mappings. Keycloak’s LDAP/AD provider supports password validation using LDAP/AD protocols and storage, edit, and synchronization modes
Required LDAP configuration fields
https://dmc.datical.com/administer/configure-keycloak-ldap.htm
In the Add user federation provider section, add the following required settings:
Tab Field Value Notes Settings Edit Mode READ_ONLY: Users
UNSYNCHED: GroupsBe sure to select UNSYNCHED if you are creating a group. Settings Vendor Active Directory The LDAP provider you are using. Ensure that Active Directory is selected for Groups to work correctly. Settings Username LDAP Attribute Attribute that contains the user name. Set this value to username and then configure mappers to designate the desired attribute to map to it. If you want to create a group, select group-ldap-mapper.
See the Attribute Mappers section below for more information.
Settings RDN LDAP Attribute CN Settings Connection URL The connection URL to your LDAP server. Usually of the following format:
ldaps://LDAP_HOST:636
Select the Test Connection button to confirm.
Settings Users DN The full DN of the LDAP tree where your users are located. This DN is the LDAP user parent.
Example: It would be
CN=users,DC=example,DC=com
assuming that your typical user has a DN like:uid=john,ou=users,dc=example,dc=com
This is not a group DN. You must specify a node that contains users.
Settings Bind type Simple Settings Bind DN DN of the administrative or service user that accesses the information to use. Example:
CN=Administrator,CN=Users,DC=demo,DC=example,DC=com
Group Example:OU=test,DC=test,DC=datical,DC=net
Settings Bind Credentials Password of LDAP admin Select Test Authentication to test the Bind DN/Bind Credential pair. Continue if it passes.
- If it fails, check the Keycloak log to find the reason. Run the following command:
datical-control logs keycloak
- If the reason is PKIX Path building failed, see note below on PKIX
Settings LDAP Filter Filter value Used to filter the full list of users and groups in the "Users DN" node to just the users and groups you want to import into Keycloak.
- Can use a filter like (mail=*) to only include users with an email address (excludes service account users)
- Can filter based on groups or anything else you need
Search Scope Subtree or One Level If the node listed in "Users DN" contains nested nodes with users, select "Subtree". Otherwise select "one level". Settings and Mappers Other Attributes Default or as you need
标签:DN,users,Settings,DC,user,LDAP,federation,keycloak From: https://www.cnblogs.com/lightsong/p/17521285.html