Keycloak is an open-source Identity and Access Management (IAM) solution designed to easily secure modern applications and services using standards like OAuth 2.0, OpenID Connect, and SAML 2.0. It provides features such as single sign-on (SSO), social login, and user federation with LDAP/Active Directory. As a CNCF-incubating project, it is widely used to centralize authentication and authorization, allowing developers to manage users, roles, and security policies without building them from scratch. 

Configuring KeyCloak takes a bit of effort. Once the KeyCloak instance is up and you logged in as admin (see this guide to get started with KeyCloak), you’ll need to configure the LDAP mapping.

Keep in mind that OpenLDAP is read-only: that means that if you create some users in KeyCloak, they won’t be reflected to OpenLDAP. Instead, you should create the user from OpenLDAP, and it will appear in KeyCloak. Same for groups. However, you can set the permissions associated with users or groups in KeyCloak.

Configure User Authentication

In the admin console of KeyCloak, on the left, go to “User Federation.” You can then add an LDAP backend.

The key settings are:

• Edit Mode: READ_ONLY
• Vendor: Other
• Username LDAP attribute: uid
• UUID LDAP attribute: uid
• User Object Classes: person
• Connection URL: ldap://<your-ldap-container>:389
• Users DN: ou=people,dc=example,dc=com (or whatever dc you have)
• Bind Type: simple
• Bind DN: uid=admin,ou=people,dc=example,dc=com (replace with your admin user and dc)
• Bind Credential: your OpenLDAP admin password

Test the connection and authentication.

In the “Advanced Settings”, you can “Query Supported Extensions,” or just enable the “LDAPv3 Password Modify Extended Operation”.

Turn “Pagination” off.

Save the provider.

Configure Group Mapping

Getting the LDAP groups to be imported into KeyCloak requires one more step:

Go back to “User Federation”, and edit your LDAP integration. At the top, click on the “Mappers” tab.

Find or create the groups mapper, with type group-ldap-mapper. The key settings are:

• LDAP Groups DN: ou=groups,dc=example,dc=com (or whatever dc you have)
• Group Name LDAP Attribute: cn
• Group Object Classes: groupOfUniqueNames
• Mode: READ_ONLY

Save, then sync LDAP groups to KeyCloak, and (from the LDAP integration page) sync the users to KeyCloak as well.

LDAP Admin User Admin Rights

Once the groups are synchronized, go to “Manage > Groups” on the left. Click on ldap_admin, then “Edit”.

Assign the role “admin” to the group. Now you can log in as the OpenLDAP admin to the KeyCloak admin console.

Fix Duplicate Names or Missing First Names

Since Keycloak and OpenLDAP use different attributes for different parts of a user’s name, you may see duplicated or missing names for users in Keycloak. To fix this, update the attribute mappings:

Go back to “User Federation,” edit your LDAP integration and click on the “Mappers” tab.

Find or create the “first name” mapper (it should have type user-attribute-ldap-mapper) and ensure the “LDAP Attribute” setting is set to givenname. Keycloak may have defaulted to cn which OpenLDAP uses for the “Display Name” of a user.