dc=tools,dc=anaconda,dc=io
. From there we can discern the rest of the tree structure. In this example, we can see that the uid
attribute is stored in the users folder, which is stored in the accounts folder.
If you prefer, tools are available to help visualize, navigate, and update your organization’s LDAP directory server, such as phpldapadmin, which was used to generate the following view. This provides additional information about the LDAP structure that you can’t discern from just looking at the bind credentials, such as the location of groups, which is also stored in the accounts folder.
ldapsearch
tool, along with the bind user credentials, to learn details about an individual user based on their user ID. For more information about the ldapsearch
tool, see the official documentation.
Gather the information you’ll need to configure user federation within Keycloak by running the following command against a known user ID:
User1
the command would look like this:
Example command return
Console Display Name
Vendor
Connection URL
Bind User information
Edit Mode
UNSYNCED
so you can view and import user information but not have to worry about making unwanted changes to your LDAP server.Users DN
Username LDAP attribute
ldapsearch
return. This attribute determines what is displayed as your user’s name when they sign into Anaconda. In this example, the username attribute is uid
.RDN LDAP attribute
ldapsearch
return. Usually, the relative distinguished name (RDN) attribute is the same as the username attribute, but this field may default to something else depending on your vendor.UUID LDAP attribute
ldapsearch
return. Your users’ unique identifiers (UUID).User object classes
ldapsearch
return. Generally, the user object classes field will have more than one entry, separated by a comma.User LDAP filter
objectClass=person
that also have a uid
and are in the group cn=grp-anaconda-users
.Because users must explicitly be added to the group, unauthorized access is prevented, and license management is simplified.Filters also limit the need to synchronize a large number of objects from LDAP, which will help prevent out-of-memory errors in the auth pod.ldapsearch
utilizes regular expressions and is notorious for its complexity. If implemented incorrectly, a custom filter could cause all users to have their access suspended or be functionally disabled.Test buttons
ldapsearch
tool to gather information about your LDAP directory, only this time, look for information pertaining to your organization’s groups.
To gather information about groups in your LDAP directory, run the following command against a known group DN:
Name
Mapper Type
LDAP Groups DN
ldapsearch
return. Provide the distinguished name of the group you would like to map.Group Name LDAP Attribute
ldapsearch
return. Enter the attribute that is associated with groups. In this example, the attribute is cn
.Group Object Classes
ldapsearch
return. This field will often have multiple entries, separated by a comma.LDAP Filter
cn=grp-anaconda-*
, which will reach out to the LDAP server and import all groups that begin with cn=grp-anaconda-
.Mode
jre
package installed to complete this procedure.
truststore.jks
file you just generated to the following location:
docker-compose.yml
file in your installer directory using your preferred file editor.
services: keycloak:
section of the file and add the following lines:
docker-compose.yml
file should look like when you are finished adding these lines: