Synchronize user with LDAP

Description

In this tutorial you will learn how to configure OnSphere to use an LDAP server for its users.

We will connect to an LDAP server and import users and groups

Steps

1. Add the certificate

  • LDAP using a not-self signed certificate

    1. Open the /modules/keycloak/keycloak-1/module.keycloak file

    2. Set the includeSystemCA flag to true.

  • LDAP using a self signed certificate

    1. On the configuration create the certs/external folder if it doesn’t exist.

    2. Add the CA certificate as PEM into certs/external.

  1. Push the new configuration.

  2. Restart the Keycloak module.

2. Configure the server

  • With the keycloak front-end (Recommended because it simplify the test)

    1. Access the Keycloak administration console https://{stack_ip}:{stack_port}/auth/admin (for example https://stack-1.onsphere.local:5000/auth/admin).

    2. Login to Keycloak administration console using administration user and password configured when the stack was deployed (see System security).

    3. Go the User Federation menu.

    4. Select Ldap in the Add provider menu.

    5. Fill in the required field.

    Note

    The Test the connection button only tests if the server is reachable the certificate are not used. This is a simple ping. The Test authentication button creates a full connection with the server using provided certificate and checks if the user can be authenticated.

    ../../_images/ldap-required.png

    1. The option under Sync Settings can be used to enable the automatic synchronization of users.

    ../../_images/ldap-sync.png

    1. Click Save

    2. A new Mappers tab has appeared a the top of the page. The mappers are used to fill in the attribute of the Keycloak users.

    Warning

    The default LDAP attribute used by the mapper might not be the one used by your LDAP. If you plan to use the group defined on the LDAP for rights, you need to create a group-ldap-mapper. If you define a Groups Path, the group must be created first.

    ../../_images/ldap-mappers.png ../../_images/ldap-group-mapper.png

    1. Once everything is working properly, you can export the configuration and integrate it to OnSphere configuration.

    • Go to the Export menu on the left and click Export

    • On the downloaded file search for org.keycloak.storage.UserStorageProvider

    • Copy the federations.

    • Open or create the /modules/keycloak/keycloak-1/federations.keycloak file

    • Add the following content if missing

      {
  "federations": []
}

    • Add the copied federation to the list.

    • Remove all id to avoid any conflict.

  • With the configuration file

    1. Copy osp-keycloak complete federation file.

    2. Add it’s content to the /modules/keycloak/keycloak-1/federations.keycloak file

    3. Update the file base on your LDAP configuration

    4. Push the configuration

    5. Check Keycloak logs to see if there are any errors.

    6. If necessary modify the configuration to fix the errors.

    7. Access the Keycloak administration console https://{stack_ip}:{stack_port}/auth/admin (for example https://stack-1.onsphere.local:5000/auth/admin).

    8. Login to Keycloak administration console using administration user and password configured when the stack was deployed (see System security).

    9. Check if the groups and user are properly created.