I’ve managed to get Keycloak to work with Flowable and OpenLDAP.
See: Keycloak, Flowable and OpenLDAP (for screen shots, etc.) I’m a new user and can only include one screen shot in a post
I created a User Federation to OpenLDAP. I unchecked ‘Import Users’ because I don’t want to import users from OpenLDAP. I selected ‘Edit Mode: WRITABLE’ and checked ‘Sync Registrations’ so that user registrations will be created in OpenLDAP.
Note: My Keycloak client is an Angular PWA that uses Authorization Code Flow with PKCE.
There are default LDAP mappers for username, first name, last name, email, creation date and modify date.
I created an LDAP mapper for the ‘password’ (User Model Attribute):
The attribute (userPassword) is created in OpenLDAP, however, the value is not set correctly. If I check the ‘Is Binary Attribute’ and then click ‘Save’, I receive the following error:
**Error!** With Binary attribute enabled, the 'Always read value from LDAP' must be enabled too
If I change the User Model Attribute to ‘lastName’. The userPassword attribute is set (to the user’s last name) correctly in OpenLDAP (see below, re plain text password).
I can set the password using the Admin CLI:
kcadm.sh set-password -r development --username abby.lee --new-password NoMoreSecrets
And the value (userPassword) is set correctly in OpenLDAP.
Related Issues
KEYCLOAK-5383: Creating a federated user via REST API creates an incorrect entry in the CREDENTIAL table
Stian Thorgersen: Yes, since EditMode is “WRITABLE”, the credential should be written to LDAP. The credential should be saved into DB just if LDAP provider editMode is “UNSYNCED” . So this looks like valid bug."
Marian Rainer-Harbach: … It will only work with plain text password and not if you pass a hashed password.