Integrating OpenLDAP

Objective

Connect a local OpenLDAP server (running via Docker) to Keycloak, so that users and groups can be read, synced, and authenticated via Keycloak.

Prerequisites

Make sure the following services are running:

We should already have:

• A working docker-compose.yml

• Seeded users and groups via seed-data.ldif

• Admin DN and password (e.g., cn=admin,dc=corp,dc=acme,dc=com)

Refer to the following pages for more details on the setup

Apply LDAP Config

Log into Keycloak Admin Console

1. Open http://localhost:8180

2. Log in as the Keycloak admin user (e.g., admin / admin)

3. Select the target Realm (e.g., master, or create a new one say employee)

Add LDAP User Federation Provider

1. Go to User Federation (left-hand menu)

2. Click Add provider → ldap

Set Configurations

Test the Connection

Use the "Test connection" and "Test authentication" buttons at the bottom of the provider form:

• Test connection: Validates LDAP connectivity

• Test authentication: Confirms bind credentials work

If any test fails, double-check:

• LDAP port (389 open?)

• Bind DN/password

• Network access between Keycloak container and LDAP container

Sync and Verify Users

Click "Synchronize all users" from the LDAP provider settings. This will import all matching users under Users DN into Keycloak.

Sample users available in LDAP (Seeds file)

Fetch Token

Configure LDAP Mappers

By default, Keycloak adds a few LDAP mappers. We can verify and adjust them

We can also add custom mappers for attributes like employeeNumber, title, mobile.

Group Mapping

To map LDAP groups:

1. Click "Add mapper" on the LDAP provider

2. Choose "group-ldap-mapper" as type

Add configurations

Sync Groups

Click on "Sync LDAP Groups with Keycloak" button to sync

Verify Sync Groups in keycloak

LDAP Seed File group declaration