Adding an LDAP storage provider

Last Updated : Apr 21, 2022 |

About this task

Connect to an LDAP storage provider to pull a third-party user database to the Configuration Server.

After connecting to an LDAP storage provider, the LDAP users associated with that storage provider must log in to the Configuration Server web portal to become available in the Security App.

Procedure

  1. On the Security App navigation menu, click LDAP Management.
  2. At the top-right corner of the Storage Providers screen, click the Add icon.
  3. In Console Display Name, type the name of the LDAP provider to connect to the Routing Core Server.

    The system administrator can see the provider name on the endpoint Administration menu.

  4. In Vendor, select Active Directory.
  5. In Username LDAP attribute, type an LDAP attribute name for the Keycloak username.

    For example, for Active Directory, you can type sAMAccountName.

  6. In RDN LDAP attribute, type an LDAP attribute name for the user's relative distinguished name.

    For example, for Active Directory, you can type cn.

  7. In UUID LDAP attribute, type an LDAP attribute name for the unique object identifier.

    For example, for Active Directory, you can type objectGUID.

    If your LDAP server does not support a UUID, you can type any unique attribute name.

  8. In User Object Classes, type LDAP object class attributes separated by commas.

    For example, you can type person,organizationalPerson,user.

    Keycloak adds new users to the LDAP database with the configured object classes. When retrieving the database, Keycloak finds only the user records containing all the specified object classes.

  9. In Connection URL, type the URL of your LDAP server.
  10. To test the connection to the LDAP server, click TEST.

    The test verifies a successful connection to the core LDAP directory. To test the connection to the directory with the required user data, you must fill in the remaining parameters and save the LDAP storage provider configuration.

  11. In Users DN, type a full distinguished name of the LDAP user parent.

    For example, you can type ou=users,dc=example,dc=com for an LDAP user with the distinguished name uid=John,ou=users,dc=example,dc=com.

  12. In Bind DN, type a distinguished name for Keycloak access to the LDAP server.
  13. In Bind Credential, type the LDAP administrator password.

    You need the password for authentication to the LDAP Active Directory server.

    To pull the administrator password through Vault, you can also type the Vault ID in the ${vault.ID} format.

  14. To test the LDAP authentication with the specified password, click TEST.
  15. In Global Role, select the appropriate global role.

    The Configuration Server assigns all the logged-in LDAP users with the specified global role. You can later change the user's global role from the User Management screen.

  16. In Tenants, select the appropriate tenant to which data the LDAP users have access.
  17. At the top-right corner of the screen, click Commit.

    The Configuration Server saves the LDAP storage provider details and redirects you to the Storage Providers screen.