If you’re running your own OpenLDAP server and using Keycloak for identity and access management, you can integrate them so that Keycloak reads user data directly from LDAP. This guide shows you how to connect OpenLDAP to Keycloak via the User Federation feature.
Prerequisites
Ensure the following setup is in place:
- ✅ Keycloak Admin Console: https://keycloak.maksonlee.com/admin
- ✅ Realm created:
maksonlee.com - ✅ OpenLDAP over LDAPS:
ldaps://ldap.maksonlee.com:636 - ✅ LDAP admin DN:
cn=admin,dc=maksonlee,dc=com - ✅ LDAP base DN:
ou=people,dc=maksonlee,dc=com - ✅ LDAP filters users using
employeeType=active - ✅ SMTP configured in Realm Settings → Email
- Log into Keycloak
- Open
https://keycloak.maksonlee.com/admin - Log in with an admin account
- Select the realm
maksonlee.com
- Add LDAP Provider
- Navigate to User Federation
- Click Add LDAP provider
- Fill in the configuration using the table below
| Section | Setting | Value |
|---|---|---|
| General Options | Display Name | OpenLDAP |
| Vendor | Other | |
| Connection and Authentication | Connection URL | ldaps://ldap.maksonlee.com:636 |
| Enable StartTLS | ❌ Off | |
| Use Truststore SPI | ✅ Always | |
| Connection Pooling | ✅ On | |
| Bind Type | simple | |
| Bind DN | cn=admin,dc=maksonlee,dc=com | |
| Bind Credentials | (LDAP admin password) | |
| LDAP Searching and Updating | Edit Mode | ✅ WRITABLE |
| Users DN | ou=people,dc=maksonlee,dc=com | |
| User LDAP Filter | (employeeType=active) | |
| Username LDAP Attribute | uid | |
| RDN LDAP Attribute | uid | |
| UUID LDAP Attribute | entryUUID | |
| User Object Classes | inetOrgPerson, organizationalPerson | |
| Search Scope | Subtree | |
| Pagination | ✅ On | |
| Referral | ignore | |
| Synchronization | Import Users | ✅ On |
| Sync Registrations | ❌ Off | |
| Remove Invalid Users During Searches | ✅ On | |
| Periodic Full Sync | ❌ Off | |
| Periodic Changed Users Sync | ❌ Off | |
| Advanced Settings | LDAPv3 Password Modify Extension | ✅ On |
| Validate Password Policy | ❌ Off | |
| Trust Email | ✅ On |
- Save and Sync
- Click Test Connection
- Click Test Authentication
- Click Save
Users with employeeType=active will be imported.
To sync manually later: go to User Federation → OpenLDAP → Synchronize all users.
- Prevent Profile Edits (Email, Name, Username)
A. Set LDAP Mappers to Read-Only
- Go to User Federation → OpenLDAP → Mappers
- Update these mappers:
| Mapper | LDAP Attribute | Read-Only | Always Read |
|---|---|---|---|
email | mail | ✅ | ✅ |
first name | givenName | ✅ | ✅ |
last name | sn | ✅ | ✅ |
username | uid | ✅ | ✅ |
B. Lock Fields in User Profile
- Navigate to Realm Settings → User Profile in the Keycloak Admin Console
- In the Attributes section, locate the attribute you want to lock:
emailfirstNamelastNameusernam - Click Edit for each one
- Under Permissions → Who can edit?:
Uncheck “User”
✅ Keep “Admin” checked - Click Save
- Enable Self-Service Password Reset
To allow users to reset their LDAP password:
- Go to Realm Settings → Login
- Enable:
Forgot Password
With SMTP configured and LDAPv3 Password Modify enabled, users will receive a reset link and update their password directly in LDAP via Keycloak.