Let's now configure an existing realm to use our new LDAP server. This can be done via User Federation menu of Keycloak in left hand side then using Add Provider --> ldap. A sample configuration is as follows:
addldap1
addldap2
The sample configuration enables Keycloak to use OpenLDAP server as user base with a designated synchronization policy defined under Sync Settings. In order to perform a force synchronization Synchronize all users button under that page should be used. As sample LDAP user entities contains title and photo attributes LDAP mappers with the type of user-attribute-ldap-mapper should be set in Keycloak. The Mappers tab under the same page:
addldap3
addldap4
These mappings should also done for client created in order to retrieve these user attributes via /userinfo endpoint. This can be done under Mappers tab using Create button on relevant client definition page:
userinfo2
Roles
Roles and scopes are used to classify and control access to resources. Roles and scopes can be used by resource server to decide whether request to access a resource (API call) is authorized. For this project we only use LDAP based roles not scopes for authorization.
In order to use LDAP as a base for role definitions a new LDAP mapper with the type of role-ldap-mapper should be added under defined User Federation setting of LDAP. A sample configuration applies to our pre-defined user database is as follows:
addldaproles
Clicking ``Sync LDAP Roles To Keycloak` adds LDAP group names as roles to Realm level role list per the sample configuration above and LDAP based user-role assignments take place:
