Skip to content

Connecting Keycloak to Active Directory

Keycloak can federate external user databases. Out of the box support for LDAP (Active Directory) and Kerberos is provided.

To configure the federation proceed als follows:

  1. In your Web browser, open the Keycloak user interface: https://localhost:32769

  2. Open the Administration Console.

  3. Log on with the pre-configured user admin and password SealAdmin1.

  4. In the Configure menu on the left, select User Federation to display the entry dialog.

  5. In the drop-down menu, select ldap.

  6. Enter your ldap configuration according to the following table:

    Name Example Value Comment
    Edit Mode READ_ONLY Set LDAP backend to read only
    Vendor Active Directory Selecting the vendor sets up various attributes automatically
    Username LDAP attribute sAMAccountName The login user. Default is cn
    RDN LDAP attribute cn For Active Directory it's common to use cn as RDN
    UUID LDAP attribute objectGUID For Active Directory the UUID should be objectGUID
    User Object Classes person, organizationalPerson, user For Active Directory keep the default value
    Connection URL LDAP://<fqdn>:389 Connection URL to your AD server, for secure connection use LDAPS://<fqdn>:636
    Users DN OU=users,DC=example,DC=com Full DN of LDAP tree where your users are
    Bind DN CN=admin,OU=serviceaccounts,DC=example,DC=com DN of LDAP admin, which will be used to access LDP server
    Bind Credential Password of LDAP admin configured in Bind DN
    Search Scope Subtree Search full tree below Users DN. Default is One Level

    Settings for AD

  7. Save your settings.

    Caution - later changes

    When you save the settings of the user federation for the first time, Keycloak adds the mappings for the previously entered LDAP settings in the Mappers tab. These have to be updated manually, when you change the settings. This is not done automatically.

Hint - log file

LDAP errors will be logged in the C:\ProgramData\SEAL Systems\log\seal-keycloak.log file.

Hint - LDAPS

If you use LDAPS, you have to import the following certificates into your Java Key Store:

  • a certificate from the configured LDAP server:

    keytool -import -noprompt -trustcacerts -alias <choose-an-alias> -file <root-certificate-file> -keystore <JRE_HOME>\lib\security\cacerts files -storepass changeit

  • the root certificate:

    keytool -import -noprompt -trustcerts -alias <choose-an-alias> -file <root-certificate-file> -keystore <JAVA_HOME>/lib/security/cacerts -storepass changeit
Back to top